Security researchers have revealed details of a vulnerability in Sudo that could be exploited by an attacker to gain root privileges on a wide range of Linux-based systems.
News of the security flaw was shared by Qualys, and it has been described as "perhaps the most significant sudo vulnerability in recent memory".
According to the advisory:
Remarkably, the validating code that the CSPRNG uses is really trivial. Given the outputs of 128 distinct cryptographic first-preimage generation functions, an attacker can signal to a proven, non-exposed 2048-bit RSA private key that the lowest 32 bits of the random number were such that the first 32 bits were prime. Then are perfectly legal for the attacker to generate separate private keys for 1024 and 2048 bits.
A simple way to prove the existence of the private key is to process the whole 256-bit string found by the first function and search for the first few consecutive bytes that can be directed to the private key. Decoding the ciphertext for that number yields the private key, which no other decryption will reliably determine, even if billions of more decrypted passwords are acquired.
##Sudo security (IMHO: extremely exploitable)
According to Qualys fellow Kishore Senanayake, the flaw could be exploited "by an attacker with the ability to obfuscate strings with special characters to trick a sending client into treating the instructions as its own."
"On top of that, we discovered that any particular Gentoo package can bind to arbitrary address space using a few simple instructions.
"Sudo sets the command-line tool to allow the bind command to be executed to construct the full user ID and group ID from which the spawned process will bind to," Senanayake writes.
Senanayake says that there are "no simple(er) ways" to bypass the flaw, and that the threat is greater if others have not [yet] found the vulnerability:
Of course, we work hard to convince you not to install unlock_evdev or sussyn-sudo. On abuse our code is very well commented but it is still quite bad security, as brainstorming will show. I would also caution those carefully considering these apps to think carefully about trying to use them when they are unsecured as the design makes them very poorly testable. Oh wait a minute! There is something els – I see right now the birthplace for Sophia on the approximate site of Mt Suchet 🙂
Sudo users must stop using the open source utility immediately while it is being fixed, and software packages that provide root codes to users must be explicitly rejected.
Magazines such as "Hackers" and "LinuxQuestions.org" are reporting that the flaw has been found
News of the security flaw was shared by Qualys, and it has been described as "perhaps the most significant sudo vulnerability in recent memory".
According to the advisory:
Remarkably, the validating code that the CSPRNG uses is really trivial. Given the outputs of 128 distinct cryptographic first-preimage generation functions, an attacker can signal to a proven, non-exposed 2048-bit RSA private key that the lowest 32 bits of the random number were such that the first 32 bits were prime. Then are perfectly legal for the attacker to generate separate private keys for 1024 and 2048 bits.
A simple way to prove the existence of the private key is to process the whole 256-bit string found by the first function and search for the first few consecutive bytes that can be directed to the private key. Decoding the ciphertext for that number yields the private key, which no other decryption will reliably determine, even if billions of more decrypted passwords are acquired.
##Sudo security (IMHO: extremely exploitable)
According to Qualys fellow Kishore Senanayake, the flaw could be exploited "by an attacker with the ability to obfuscate strings with special characters to trick a sending client into treating the instructions as its own."
"On top of that, we discovered that any particular Gentoo package can bind to arbitrary address space using a few simple instructions.
"Sudo sets the command-line tool to allow the bind command to be executed to construct the full user ID and group ID from which the spawned process will bind to," Senanayake writes.
Senanayake says that there are "no simple(er) ways" to bypass the flaw, and that the threat is greater if others have not [yet] found the vulnerability:
Of course, we work hard to convince you not to install unlock_evdev or sussyn-sudo. On abuse our code is very well commented but it is still quite bad security, as brainstorming will show. I would also caution those carefully considering these apps to think carefully about trying to use them when they are unsecured as the design makes them very poorly testable. Oh wait a minute! There is something els – I see right now the birthplace for Sophia on the approximate site of Mt Suchet 🙂
Sudo users must stop using the open source utility immediately while it is being fixed, and software packages that provide root codes to users must be explicitly rejected.
Magazines such as "Hackers" and "LinuxQuestions.org" are reporting that the flaw has been found
g
