This Week In Security: Sudo, Database Breaches, And Ransomware

We couldn't resist, OK?
Obligatory XKCD

Sudo is super important Linux utility, as well as the source of endless jokes. What’s not a joke is CVE-2021-3156, a serious vulnerability around incorrect handling of escape characters. This bug was discovered by researchers at Qualys, and has been in the sudo codebase since 2011. If you haven’t updated your Linux machine in a couple days, you may very well be running the vulnerable sudo binary still. There’s a simple one-liner to test for the vulnerability:

sudoedit -s '\' `perl -e 'print "A" x 65536'`

In response to this command, my machine throws this error, meaning it’s vulnerable:

malloc(): corrupted top size
Aborted (core dumped)

To understand the problem with sudo, we have to understand escape characters. It really boils down to spaces in file and folder names, and how to deal with them. You want to name your folder “My Stuff”? That’s fine, but how do you interact with that directory name on the command line, when spaces are the default delimiter between arguments? One option is to wrap it in quotation marks, but that gets old in a hurry. The Unix solution is to use the backslash character as an escape character. Hence you can refer to your fancy folder as My\ Stuff. The shell sees the escape character, and knows to interpret the space as part of the folder name, rather than an argument separator. Escape characters are a common vulnerability location, as there are plenty of edge cases.

Sudo is no exception. The edge case here is a second bug. The sudoedit command launches sudo in editor mode, and is intended to be equivalent to sudo -e. In fact on many systems, sudoedit is a symlink to sudo. The problem is in the command-line parsing code. If you try to invoke sudo with both the -e and -s flags, it treats the command as invalid, and helpfully prints the usage notes. However, when sudoedit is used to launch the editor mode, the -s flag can also be specified, putting sudo into an unintended state, with undefined behavior. After looking over the vulnerability, I’m convinced that this is the more serious of the two bugs. There are likely quite a few other vulnerabilities that could be found as a result of being able to put sudo in two modes of operation at once.

The other problem is how sudo handles an escape character with no following character to escape. The code hops over the null string termination, and keeps copying characters. In a normal usage mode, this code is impossible to execute in this strange way, but because of the odd dual-mode state, this bug can be exploited.

Updated versions of sudo have shipped in the major distros, so make sure you update! Thankfully, while there is a proof-of-concept one-liner that will crash sudo, no actual exploit code has been published. There will likely be full exploit POCs available soon, though.

Load a Webpage, Get iPwned

Apple has published an advisory about what appears to be an attack chain found in the wild against the iOS platform. The chain is a trio of CVEs, two in webkit and one in the kernel. This is likely the work of yet another state-sponsored actor, who put the attack chain together to gather information on a specific group of people. The two webkit CVEs are probably an initial RCE and a sandbox escape. The kernel vuln is then used to elevate to system privileges and run the spyware. It’s typical to see these malware packages run in memory only, and not make any permanent modifications to the device’s OS. If the rest of the story gets released, we can come back and check my guesses for accuracy.

Brazill Leaks Entire Taxpayer Database

It may not be the biggest database leak for raw size, but this must set a per capita record. One of Brazil’s government agencies seems to have let their database escape (in Portuguese), as a whopping 220 million records of CPF number, full name, and date of birth are floating around the shadier side of the internet. This is probably the identifying information of every Brazilian citizen alive, and even some who are no longer with us, because their official population is only 213 million. While the immediate uses for targeted phishing and fraud is obvious, it will be interesting to see what the long term effects are of publishing the equivalent of everyone’s social security number.

And not to be outdone, the dating site MeetMindful has leaked their entire user database as well. If there is any silver lining for the site’s users, it is that no private messages or pictures were part of the leak.

Dovecat. Wait What?

Recently both a Synology user, and a QNAP user discovered a dovecat process pegging their device processors at 100%. What is this strange process, clumsily trying to look like an innocent mail daemon?

Thankfully [Matthew Ruffel] has already done an analysis on this malware. Dovecat is nothing more than the open source XMRig crypto miner, with some hard coded configuration. It’s very possible that any system that has a dovecat process also has the “hy4” malware on it. What might be the most fascinating about this little crypto-mining malware campaign is that it seems to be targeting NAS devices. Alternatively, it may be simply targeting SSH servers with weak passwords.

NetWalker Takedown

The image to the right caught my attention, as there have just been a handful of successful TOR page takedowns like this. The NetWalker infrastructure has been seized, along with over $450,000 in cryptocurrency. A Canadian citizen has been arrested as part of the operation.

Krebs has more details on this story. NetWalker is a ransomware system, and has been called “ransomware-as-a-service”. It remains to be seen if the head of this particular snake has been cut off, or if instead it’s a hydra, and will pop right back up.


VLC has released version 3.0.12. Most of the changelog is normal bug fixes, with support for Apple designed processors being the stand-out new feature, do note that this release also fixed “some security issues”. What issues might those be? While we don’t have the details spelled out, the security bulletin points out a pair of buffer overflows and some invalid pointers being dereferenced. Put clearly, these bugs could probably be used to build an exploit that triggers as a result of viewing a video.

The IObit forums were breached recently, and the user database is being used to spread ransomware. To make the whole scheme seem even more legitimate, the attacker hosted the malicious installer on the compromised site. Here’s where the story takes a humorous turn. The ransom process is also a crypto-currency ponzi scheme! You send us 200 DERO coins to decrypt your files, and once DERO hits $100 a coin, we’ll send you back $500 worth of the coin. It’s a 5X return on your investment!

Drupal just released an update that fixes a potentially severe vulnerability. The Archive_Tar library is used in Drupal core, and contained a directory traversal vulnerability, CVE-2020-36193. This usually means that even if an archive is unzipped in a safe directory, it can overwrite important files elsewhere on the server. Regardless, Drupal considers this a critical issue, and recommends updating right away.

27 thoughts on “This Week In Security: Sudo, Database Breaches, And Ransomware

    1. I have two metrics for including a story here. I either need to find it interesting, or it’s something readers need to know about. The sudo story tickled both of those considerations. Glad to know it’s helpful.

      1. All these articles at least made me configure some kind of auto-update on my exposed machines, even if they don’t have a lot of attack surface nor capabilities.
        I got a VPS from a provider, with nothing on it, and I wasn’t able to log in even once, while the machine was completely pegged. I’m not sure how anyone could have taken over it, since, by default, no services are enabled. The provider just shrugged and was not interested in investigating this.

    1. It is in fact ESR’s truism in action, if a bit slower than we’d all hope for. And the Microsoft essay is correct in nearly all its observations. Open source can be more secure, but only because people like Qualsys are out there looking at and banging on the code.

    1. Me too. Mainly because I’ve had problems in the past dealing with them in ‘code’. Just leave the spaces out people!

      As for the sudo ‘bug’, You still need to be logged in to have access to the app. It’s not like sudo is exposed to the internet. I am still ‘old school’. If I need root access, I login as root ( using ‘su -‘ ) to do admin work. That said, I saw ‘sudo’ come in as update last night when I checked.

      1. I do far less as root when using sudo only in the needed places. So sudo prevents me more from my own errors than a root shell could.

        But as always: Diversity rocks!

    2. remember, there are people who use UTF encoded characters and other non alphanumeric stuff that totally doesn’t belong there (/ and :) just because the UI frontend lets them do so…
      honestly i just can’t understand why the 26+10 alphanumeric chars plus dot, dash and underscore cannot be enough for anybody.

      1. If you spoke some other languages, you would understand.

        Having said that, I hate variable-length UTF. Fixed length would be much preferred by me, despite being longer (more bytes) on the average.

  1. IMO it is high time for governments to implement some sort of official certification process for people who design and write software, otherwise, there will be gaping security issues as long as we allow random people to build our IT infrastructure. In EU making your own car is outlawed and over the years it led to vast improvements in road safety. Same thing can be done for software – if you don’t have resources to perform something akin to vehicle homologation process, but for software, you could always find another hobby like playing music or vacuuming.

    1. More regulation is always a good idea. Nobody is even allowed to own a compiler unless they are certified and have some kind of permit. And of course you allow the government the right to conduct unscheduled inspections of your property and the contents of your computer. It all makes good sense to me.

    2. “In EU making your own car is outlawed …”

      If that is true, it has only been so since Brexit. There is a whole culture of self-built cars here, and not all are made from kits.

      1. Building DIY cars probably depends on the country. In some countries it is prohibitively expensive to homologate your own vehicle, or even putting a different engine in. AFAIK in UK it was possible to do this, might still even be.

        A good law should be that compenies put the source code and toolkit into a public escrow, becoming public domain (though with rights reserved) when the company goes out of business or stops providing critical updates.

  2. I just removed sudo from most of the Linux boxes under my care. I have little need for it. But I was amused to find one system I’ve not been able to update because of its role was never affected. New code can introduce just as many vulnerabilities as old code. And it looks like this bug was introduced trying to prevent a security bug. :-/

    The sudo folk have a nice download page where those who are no longer receiving security updates for their OS can find fixed packages. This page demonstrates that this is not a “Linux” bug. Yes, its affected IF sudo is installed, but so are many other OS users. So check it out:

    Combined with a successful phishing or WordPress exploit this could get ugly. So please update or uninstall.

  3. I have been working with unix/linux for 25 years, maybe longer. Never found a need for sudo. I know huge wars have been fought by the pro and anti sudo gang. My approach is just delete it and be happy. On systems that insist on it, sudo su always solves my problems.

    1. “My approach is just delete it and be happy” .
      Never thought of just uninstalling/deleting it. Go figure. Thx …. On RPIs, I do use sudo ‘one time’ on initial boot — to set the root password. Then never touch sudo again. I could be wrong, but I ‘think’ I’ve had to use this method after other installs also. It has been awhile since I installed anything desktop/server wise (I run LTS distros), but I don’t recall the install scripts asking for the root password like they used to. People say it is ‘dangerous’, but like you, I’ve never created more work for myself using ‘su -‘ command, doing what needs to be done, and then exit back to user land.

  4. Should writing plugins for existing software require certification as well,
    What about a 3 line batch/bash script to bulk convert a directory.
    Both are everyday tasks which many people are likely to publish for the convenience of others,
    which can have profound security implications.

  5. This was announced recently; The state of Washington stated that 1.6 million records of applicants for unemployment assistance had been hacked through an outside third party. To me this is totally irresponsible and shows a distaste of security in the management of confidential files that should have been fully isolated.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.