Dev1 Galaxy Forum / Sudo Vulnerability CVE-2021-3156

Re: Sudo Vulnerability CVE-2021-3156

dummy@example.com (czeekaj) — Sun, 17 Apr 2022 10:00:26 +0000

I was suspicious and not surprised.
I don't really have this issue anymore, I don't install proprietary Nvidea drivers anymore but I've since smartened up.

But Nvidea drivers the screen would flash.
I uninstall sudo, install Nvidea driver and it didn't flash the screen.
Nvidea must of known about some way to exploit sudo. I couldn't say why or what happened but I was suspicious.

Re: Sudo Vulnerability CVE-2021-3156

dummy@example.com (hevidevi) — Thu, 07 Oct 2021 13:03:46 +0000

you can also program in completions for doas if you are so inclined.

a few examples i found here https://git.xosc.org/config/tree/.kshrc

#############################################################################
# COMPLETIONS
#############################################################################

# Mostly copied from
# https://github.com/qbit/dotfiles/blob/master/common/dot_ksh_completions

if [ -d ~/.password-store ]; then
	PASS_LIST=$(
		cd ~/.password-store
		find . -type f -name \*.gpg | sed 's/^\.\///' | sed 's/\.gpg$//g'
	)

	set -A complete_tpm_1 -- $PASS_LIST usage
	set -A complete_tpm_2 -- $PASS_LIST edit insert show rm
fi

set -A complete_kill_1 -- -9 -HUP -INFO -KILL -TERM

set -A complete_ifconfig_1 -- $(ifconfig | grep ^[a-z] | cut -d: -f1)

if [ -d /var/db/pkg ]; then
	PKG_LIST=$(/bin/ls -1 /var/db/pkg)
	set -A complete_pkg_info -- $PKG_LIST

	alias dpkgdel="doas pkg_delete"
	set -A complete_dpkgdel_1 -- $PKG_LIST
fi

# relayctl completion.  Second level only for 'show'
set -A complete_relayctl_1 -- monitor show load poll reload stop redirect table host log
set -A complete_relayctl_2 -- summary hosts redirects relays routers sessions

set -A complete_unwindctl_1 -- reload log status

if [ -d /etc/rc.d ]; then
	RCD_LIST=$(/bin/ls /etc/rc.d)
	set -A complete_rcctl_1 -- get getdef set check reload restart stop start disable enable order ls
	set -A complete_rcctl_2 -- $RCD_LIST

	alias drcctl="doas rcctl"
	set -A complete_drcctl_1 -- get getdef set check reload restart stop start disable enable order ls
	set -A complete_drcctl_2 -- $RCD_LIST
fi

set -A complete_tarsnap_1 -- --list-archives --print-stats --fsck --fsck-prune --nuke --verify-config --version --checkpoint-bytes --configfile --dry-run --exclude --humanize-numbers --keyfile --totals

# /tmp/.man-list is generated upon boot by /etc/rc.local with
# find /usr/share/man/ -type f | sed -e 's/.*\///' -e 's/\.[0-9]//' | sort -u
[[ -f /tmp/.man-list ]] && set -A complete_man -- $(cat /tmp/.man-list)

[[ -d $HOME/.marks ]] && set -A complete_j -- $(/bin/ls $HOME/.marks)

Re: Sudo Vulnerability CVE-2021-3156

dummy@example.com (GlennW) — Thu, 07 Oct 2021 00:13:34 +0000

My bad. I used the command wrong.

Thanks for letting me know, I thought I must be doing something wrong... But, good to know.

ahahaha. relief!

Re: Sudo Vulnerability CVE-2021-3156

dummy@example.com (superurmel) — Wed, 06 Oct 2021 05:18:05 +0000

GlennW wrote:

Now I'm confused. And I don't use sudo or would have it installed if I could arrange it.
Using the example above... I get
glenn@asus-r552jv:~$ sudoedit -s /
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] file ...
glenn@asus-r552jv:~$

My bad. I used the command wrong.

~ % sudoedit -s/
sudoedit: Ungültige Option -- /
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-T timeout] [-u user] file ...

I also get this

~ % sudoedit -s /
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-T timeout] [-u user] file ...

I will give doas a try.

Re: Sudo Vulnerability CVE-2021-3156

dummy@example.com (dvnUsr) — Wed, 06 Oct 2021 00:42:12 +0000

Oho, just discovered that:

doas -s

is a handy workaround while persist is not working.

I've uninstalled sudo. (There were no dependencies in my installation.)

Re: Sudo Vulnerability CVE-2021-3156

dummy@example.com (dvnUsr) — Tue, 05 Oct 2021 23:24:51 +0000

@H_O_A_S/@zapper: Thanks for the tip about doas.

I note it can be installed from the repository (http://deb.devuan.org/merged chimaera/main amd64 Packages).

Tried it, but the one thing I need is its "persist" functionality, which doesn't work for me; here's my /etc/doas.conf contents:

permit persist as root

doas runs fine but *always* asks me for the password.

I understand persist doesn't work because the package must have been compiled without first enabling persist. I assume it comes directly from Debian ... https://bugs.debian.org/cgi-bin/bugrepo … bug=983505

Re: Sudo Vulnerability CVE-2021-3156

dummy@example.com (GlennW) — Tue, 05 Oct 2021 21:01:47 +0000

Now I'm confused. And I don't use sudo or would have it installed if I could arrange it.

Using the example above... I get

glenn@asus-r552jv:~$ sudoedit -s /
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] file ...
glenn@asus-r552jv:~$

But checking with apt install... I get

root@asus-r552jv:~# apt install sudo
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
sudo is already the newest version (1.9.5p2-3).
sudo set to manually installed.

I'd get rid of it (sudo), but it is tied to too many other programs...

root@asus-r552jv:~# apt remove sudo
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  bluedevil breeze-gtk-theme bup bup-doc gtk2-engines-pixbuf ibus-data ieee-data kde-cli-tools-data kde-config-gtk-style kde-config-sddm kde-style-oxygen-qt5 kgamma5
  khotkeys khotkeys-data kinfocenter kmenuedit ksysguard ksysguard-data kup-backup kwrited libgsettings-qt1 libibus-1.0-5 libkf5su-data libkf5sysguard-bin
  libkpmcore11 libksignalplotter9 liboxygenstyle5-5 liboxygenstyleconfig5-5 libqt5sensors5 libscim8v5 libxcb-record0 oxygen-sounds par2 partitionmanager
  plasma-desktop-data plasma-disks plasma-pa pulseaudio-module-gsettings python3-fuse python3-pylibacl python3-tornado qml-module-gsettings1.0
  qml-module-org-kde-activities qml-module-org-kde-kcm qml-module-org-kde-kio qml-module-org-kde-kitemmodels smartmontools systemsettings xsettingsd
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
  kde-cli-tools kde-plasma-desktop kscreen libkf5su-bin libkf5su5 plasma-desktop sudo
0 upgraded, 0 newly installed, 7 to remove and 3 not upgraded.
After this operation, 12.4 MB disk space will be freed.
Do you want to continue? [Y/n] n
Abort.

That "apt autoremove" list is for after sudo is removed.

Anyhow... I still won't use it. I'm sure I removed the config files from /etc/...

Re: Sudo Vulnerability CVE-2021-3156

dummy@example.com (superurmel) — Tue, 05 Oct 2021 10:20:49 +0000

Thanks for the reply GlennW

hope this helps.

It still confuses me. I thought that, because I'm on stable, I should get security patches.

As I have sudo version 1.8.27-1+deb10u3, I think I still have the vulnerable version.

Affected version
sudo: 1.8.2 – 1.8.31p2
sudo: 1.9.0 – 1.9.5p1

I'm confused

SOLVED:

Ok, after a little search on debian.org if found out that the version I have (1.8.27-1+deb10u3) is fixed!

I have the fixed version (https://www.debian.org/security/2021/dsa-4839) but still the behavior described on https://haxf4rall.com/2021/01/27/cve-20 … ity-alert/.

How to exploit this bug
Log in to the system as a non-root user and use the command sudoedit -s /
-If you see an error that starts with sudoedit:, it indicates that there is a vulnerability.
-If you see an error starting with usage:, then the patch has taken effect.

Re: Sudo Vulnerability CVE-2021-3156

dummy@example.com (GlennW) — Tue, 05 Oct 2021 10:00:15 +0000

ah, It's in testing and daedalus 1.9.5p2-3 amd64 [installed,automatic]

glenn@asus-r552jv:~$ su
Password: 
root@asus-r552jv:~# apt list sudo -a
Listing... Done
sudo/testing,testing,daedalus,now 1.9.5p2-3 amd64 [installed,automatic]
sudo/stable 1.8.27-1+deb10u3 amd64

root@asus-r552jv:~#

hope this helps.

Re: Sudo Vulnerability CVE-2021-3156

dummy@example.com (superurmel) — Tue, 05 Oct 2021 09:55:59 +0000

dice wrote:

if you havent apt updated in a while today would be the day to do it if you use sudo.

Affected version
sudo: 1.8.2 – 1.8.31p2
sudo: 1.9.0 – 1.9.5p1
Solution
In this regard, we recommend that users upgrade sudo to the latest version in time.

Hi. I don't understand. I do check for updates regulary. My version von sudo is:

~ % apt list sudo -a         
Auflistung... Fertig
sudo/stable,stable-security,now 1.8.27-1+deb10u3 amd64  [installiert]
sudo/stable,stable-security 1.8.27-1+deb10u3 i386

And I'm on Devuan 3.1.

My sources-list:

## package repositories
deb http://deb.devuan.org/merged beowulf main contrib non-free
deb http://deb.devuan.org/merged beowulf-updates main contrib non-free
deb http://deb.devuan.org/merged beowulf-security main contrib non-free
deb http://deb.devuan.org/merged beowulf-backports main contrib non-free

What is it I do not understand?
Do I something wroing?

Re: Sudo Vulnerability CVE-2021-3156

dummy@example.com (zapper) — Sat, 30 Jan 2021 10:05:58 +0000

Head_on_a_Stick wrote:

zapper wrote:
when did get discovered?
Yesterday.
EDIT: the fixed version is 6.8.1.
EDIT2: it looks like the doas package in Hyperbola is orphaned and stuck on an old version (6.6.1).

Hmm, they are doing a lot of different packaging things for 0.4 release, so it may be taking a while. I hope 0.4 is ready soon.

Re: Sudo Vulnerability CVE-2021-3156

dummy@example.com (Head_on_a_Stick) — Fri, 29 Jan 2021 21:49:48 +0000

zapper wrote:

when did get discovered?

Yesterday.

EDIT: the fixed version is 6.8.1.

EDIT2: it looks like the doas package in Hyperbola is orphaned and stuck on an old version (6.6.1).

Re: Sudo Vulnerability CVE-2021-3156

dummy@example.com (zapper) — Fri, 29 Jan 2021 21:42:14 +0000

yeti wrote:

zapper wrote:
On Hyperbola I use doas, surprised more distros within linux haven't started using it yet.
Did you check it for having "CVE-2019-25016 (Unsafe, incomplete PATH reset)" fixed?

If I had to guess, I think Hyperbola has fixed that already...

But curiously, when did get discovered?

If it was a year or two ago, for sure.

by for sure, I mean its been solved most likely.

Re: Sudo Vulnerability CVE-2021-3156

dummy@example.com (Head_on_a_Stick) — Fri, 29 Jan 2021 18:23:38 +0000

yeti wrote:

zapper wrote:
On Hyperbola I use doas, surprised more distros within linux haven't started using it yet.
Did you check it for having "CVE-2019-25016 (Unsafe, incomplete PATH reset)" fixed?

Alpine Linux updated to v6.8.1 within an hour of the upstream release :-)

Re: Sudo Vulnerability CVE-2021-3156

dummy@example.com (mckaygerhard) — Fri, 29 Jan 2021 15:44:45 +0000

sudo is a sh*t that makes a linux box acts like a windo one! puff .. is has a larrge history of several security holes, i mean several security interestelar black holes.. in fact