Recent root-giving Sudo bug also impacts macOS

by | Feb 3, 2021

Post Views: 1,829

style="display:block" data-ad-client="ca-pub-6620833063853657" data-ad-slot="8337846400" data-ad-format="auto" data-full-width-responsive="true">

Reading Time: 1 Minute

A bug in the Sudo app can let attackers with access to a local system to elevate their access to a root-level account.

A British security researcher has discovered today that a recent security flaw in the Sudo app also impacts the macOS operating system, and not just Linux and BSD, as initially believed.

The vulnerability, disclosed last week as CVE-2021-3156 (aka Baron Samedit) by security researchers from Qualys, impacts Sudo, an app that allows admins to delegate limited root access to other users.

Qualys researchers discovered that they could trigger a “heap overflow“ bug in the Sudo app to change the current user’s low-privileged access to root-level commands, granting the attacker access to the whole system.

The only condition to exploit this bug was that an attacker gain access to a system, which researchers said could be done by either planting malware on a device or brute-forcing a low-privileged service account.

See Also: Ransomware gangs are abusing VMWare ESXi exploits to encrypt virtual hard disks

style=”display:block” data-ad-client=”ca-pub-6620833063853657″ data-ad-slot=”8337846400″ data-ad-format=”auto” data-full-width-responsive=”true”>

In their report last week, Qualys researchers said they only tested the issue on Ubuntu, Debian, and Fedora. They said that are UNIX-like operating systems are also impacted, but most security researchers thought the bug might impact BSD, another major OS that also ships with the Sudo app.

LATEST MACOS VERSION ALSO IMPACTED

But as Matthew Hickey, the co-founder of Hacker House, pointed out on Twitter today, the recent version of macOS also ships with the Sudo app.

Hickey said he tested the CVE-2021-3156 vulnerability and found that with a few modifications, the security bug could be used to grant attackers access to macOS root accounts as well.

style=”display:block” data-ad-client=”ca-pub-6620833063853657″ data-ad-slot=”8337846400″ data-ad-format=”auto” data-full-width-responsive=”true”>

CVE-2021-3156 also impacts @apple MacOS Big Sur (unpatched at present), you can enable exploitation of the issue by symlinking sudo to sudoedit and then triggering the heap overflow to escalate one's privileges to 1337 uid=0. Fun for @p0sixninja pic.twitter.com/tyXFB3odxE
— Hacker Fantastic 📡 (@hackerfantastic) February 2, 2021

“To trigger it, you just have to overwrite argv[0] or create a symlink, which therefore exposes the OS to the same local root vulnerability that has plagued Linux users the last week or so,” Hickey told ZDNet today, prior to sharing a video of the bug in question.

His findings were also privately and independently verified and confirmed to ZDNet by Patrick Wardle, one of today’s leading macOS security experts, and publicly by Will Dormann, a vulnerability analyst at the Carnegie Mellon University’s CERT Coordination Center.

style=”display:block” data-ad-client=”ca-pub-6620833063853657″ data-ad-slot=”8337846400″ data-ad-format=”auto” data-full-width-responsive=”true”>

Can confirm with macOS Big Sur on both x86_64 and aarch64. pic.twitter.com/nQqQ8rskv7
— Will Dormann (@wdormann) February 2, 2021

Hickey told ZDNet the bug could be exploited in the recent version of macOS, even after applying the recent security patches Apple released on Monday.

The researcher said he notified Apple of the issue earlier today. Apple declined to comment as it investigates the report; however, even without an official confirmation from the Cupertino-based tech giant, a patch is most likely expected for such a serious issue.

In addition, other researchers found that the bug could also be exploited on IBM AIX systems.

style=”display:block” data-ad-client=”ca-pub-6620833063853657″ data-ad-slot=”8337846400″ data-ad-format=”auto” data-full-width-responsive=”true”>

Source: www.zdnet.com