so for up to 2 years it has been trivial to escalate to root on any machine that had sudo >=1.19.4 installed.
-
so for up to 2 years it has been trivial to escalate to root on any machine that had sudo >=1.19.4 installed. amazing. marvelous.
-
so for up to 2 years it has been trivial to escalate to root on any machine that had sudo >=1.19.4 installed. amazing. marvelous.
@mildsunrise what happened again -
@mildsunrise what happened again
@a1ba sudo processed the
--chrootoption before actually reading sudoers, so you can make it load a custom binary https://openwall.com/lists/oss-security/2025/06/30/3 -
@a1ba sudo processed the
--chrootoption before actually reading sudoers, so you can make it load a custom binary https://openwall.com/lists/oss-security/2025/06/30/3@mildsunrise certified screaming sandwich moment -
A a1ba@suya.place shared this topic
-
so for up to 2 years it has been trivial to escalate to root on any machine that had sudo >=1.19.4 installed. amazing. marvelous.
it doesn't require anything. it doesn't even require normal rules in sudoers. I'm not sure it even requires a sudoers at all, just the sudo binary to be installed.
the only consolation is that it's not (known to be) exploitable on systems using something other than glibc
-
it doesn't require anything. it doesn't even require normal rules in sudoers. I'm not sure it even requires a sudoers at all, just the sudo binary to be installed.
the only consolation is that it's not (known to be) exploitable on systems using something other than glibc
this is so insultingly easy to exploit + widely affecting that I'm considering if it was a backdoor. either way my trust in sudo as a project is completely shattered by now
-
this is so insultingly easy to exploit + widely affecting that I'm considering if it was a backdoor. either way my trust in sudo as a project is completely shattered by now
@mildsunrise if the --chroot option isn't widely used this sounds more like the log4j vuln where someone asked to keep a feature nobody owned so nobody was taking care of it
-
@mildsunrise if the --chroot option isn't widely used this sounds more like the log4j vuln where someone asked to keep a feature nobody owned so nobody was taking care of it
-
@mildsunrise "trust completely shattered" is an extremely strong statement to make along with concerns about a backdoor is there other background that leads you to believe this
@hipsterelectron trust is shattered because chrooting to a fully untrusted path to do anything other than immediately dropping privileges should be an immediate code smell... although looking at the patches now I kinda walk my words back a bit, it isn't entirely obvious that we get to the function before even checking sudoers
-
@hipsterelectron trust is shattered because chrooting to a fully untrusted path to do anything other than immediately dropping privileges should be an immediate code smell... although looking at the patches now I kinda walk my words back a bit, it isn't entirely obvious that we get to the function before even checking sudoers
@mildsunrise @hipsterelectron on the other hand, a tool that's only purpose to be a backdoor for admins... shouldn't be that complex?
Same goes for PAM honestly.
