Sudo is super important Linux utility, as well as the source of endless jokes. What’s not a joke is CVE-2021-3156, a serious vulnerability around incorrect handling of escape characters. This bug was discovered by researchers at Qualys, and has been in the sudo codebase since 2011. If you haven’t updated your Linux machine in a couple days, you may very well be running the vulnerable sudo binary still. There’s a simple one-liner to test for the vulnerability:
sudoedit -s '\' `perl -e 'print "A" x 65536'`
In response to this command, my machine throws this error, meaning it’s vulnerable:
malloc(): corrupted top size
Aborted (core dumped)
To understand the problem with sudo, we have to understand escape characters. It really boils down to spaces in file and folder names, and how to deal with them. You want to name your folder “My Stuff”? That’s fine, but how do you interact with that directory name on the command line, when spaces are the default delimiter between arguments? One option is to wrap it in quotation marks, but that gets old in a hurry. The Unix solution is to use the backslash character as an escape character. Hence you can refer to your fancy folder as My\ Stuff. The shell sees the escape character, and knows to interpret the space as part of the folder name, rather than an argument separator. Escape characters are a common vulnerability location, as there are plenty of edge cases. Continue reading “This Week In Security: Sudo, Database Breaches, And Ransomware”→
If you’ve done anything with a modern Linux system — including most variants for the Raspberry Pi — you probably know about sudo. This typically allows an authorized user to elevate themselves to superuser status to do things.
However, there is a problem. If you have sudo access, you can do anything — at least, anything the sudoers file allows you to do. But what about extremely critical operations? We’ve all seen the movies where launching the nuclear missile requires two keys counter-rotated at the same time and third firing key. Is there an equivalent for Linux systems?
It isn’t exactly a counter-rotating key, but the sudo_pair project — a prelease open-source project from Square — gives you something similar. The project is a plugin for sudo that allows you to have another user authorize a sudo request. Not only do they authorize it, but they get to see what is happening, and even abort it if something bad is happening.
It was just one of these nights. We were sitting at the O’Neil’s San Mateo Pub, taking a break after a long day at the Maker Faire. Hackaday was hosting an informal drink-up and a steady stream of colorful characters has just started flowing in. That’s when we met [Robert Coggeshall].
It started off as a normal discussion – he runs Small Batch Assembly and does a lot of interesting things in the maker space. Then he brought up a fascinating detail – “Oh, did you know I also co-invented sudo back in the 80’s?”
If you ever did as much as touch a Unix system, you’ll know this is a big deal. What came as an even bigger surprise was that something like sudo had to be “invented” in the first place. When thinking about the base Unix toolkit, there is always this feeling that it all emerged from some primordial soup of ideas deep inside of Bell Labs, brought to life by the infinite wisdom of [Ken Thompson] and the rest of the gang. Turns out that wasn’t always the case. We couldn’t miss asking [Bob] for an interview, and he told us how it all came about…
[W1ndman] won’t win any security awards for this build, but it’s an interesting idea. On many Linux-based systems commands can be run with administrator privileges by prefacing them with the keyword ‘sudo’. Normally you’d be asked for a password but [W1ndman] used the Pluggable Authentication Modules (PAM) to authenticate via his own shell script. That script checks a code from this rotary dial for authentication. An Arduino takes care of listening for each digit that is entered and then sends the code via USB for comparison with a stored file. We’re not sure if that stored code is in a plain file or is otherwise protected, but at the very least this prevents you from using ‘sudo’ willy-nilly.