| |
F4BWT > LINUX 19.10.19 19:52l 47 Lines 2668 Bytes #999 (0) @ WW
BID : 19079_F4BWT
Read: GUEST
Subj: Sudo fix my vulnerability.
Path: IW8PGT<I3XTY<I0OJJ<I0OJJ<GB7CIP<GB7YEW<F4BWT
Sent: 191015/1645Z 19079@F4BWT.#95.FRPA.FRA.EU LinBPQ6.0.19
>From f4bwt%f4bwt.#95.frpa.fra.eu@i0ojj.ampr.org Tue Oct 15 18:50:42 2019
Received: from i0ojj.ampr.org by i0ojj.ampr.org (JNOS2.0k.3b2) with SMTP
id AA29543 ; Tue, 15 Oct 2019 18:50:42 +0200
Message-Id: <19079_F4BWT@i0ojj.bbs>
>From: f4bwt@f4bwt.#95.frpa.fra.eu
X-JNOS-User-Port: Telnet (i0ojj @ 44.134.32.240) -> Sending message
One of Linux's most important commands had a glaring security flaw
Sudo fix my vulnerability.
If you've used the command line in Linux or a Unix-based platform like macOS, you're probably familiar with the "sudo" command
-- it lets you run tasks with different (usually elevated) permissions than you'd otherwise have. It's powerful, but it was app
arently too powerful until now. Developers have fixed a flaw in sudo that let you claim root-level access even if the configura
tion explicitly forbids it. So long as an intruder had enough access to run sudo in the first place, they could perform any act
ion they wanted on a given machine.
The quirk revolved around sudo's treatment of user IDs. If you typed the command with a user ID of -1 or its unsigned equivalen
t 4294967295, it would treat you as if you had root access (user ID 0) even as it recorded the actual user ID in the log. The u
ser IDs in question don't exist in the password database, either, so the command won't require a password to use.
Linux users can update to a newer sudo package (1.8.28 or later) to fix the flaw. You might not be immediately vulnerable, as a
ny attacker will need to have command line control over your system before they can even consider exploiting the flaw -- at tha
t point, you probably have larger problems. Still, it's not entirely comforting to know that such an important command was vuln
erable.
Via: The Hacker News
Source: Sudo
In this article: command line, gear, linux, operating system, personal computing, personalcomputing, security, software, unix,
vulnerability
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories
include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
https://www.engadget.com/2019/10/14/linux-unix-sudo-command-security-flaw/?guccounter=1&guce_referrer=aHR0cHM6Ly90LmNvL0tYQmdFU
Gp5Rm0_YW1wPTE&guce_referrer_sig=AQAAAB-VzI-VUT6O_Bo6S_nQAFL7pkOwYfCE5OwRBZEMayvJB1COabTCJAX7EC4ellMhoH8Kt6AGjTSWdIJPXWWJAVdgsn
1XnNd8HXXL4xZXFccCnvW9fpmPL6gtnoEsMK7NkZ6SXIdcfY6Is_NPOJTL8l-gGRI_KuVI7R3gO07Gznjc
https://www.engadget.com/2019/10/07/macos-catalina-available-to-download-october-7/
https://xkcd.com/149/
https://www.sudo.ws/alerts/minus_1_uid.html
73's QRO
Read previous mail | Read next mail
| |
