CVE-2023-42456 in sudo-rs
Summary
by MITRE • 09/21/2023
Sudo-rs, a memory safe implementation of sudo and su, allows users to not have to enter authentication at every sudo attempt, but instead only requiring authentication every once in a while in every terminal or process group. Only once a configurable timeout has passed will the user have to re-authenticate themselves. Supporting this functionality is a set of session files (timestamps) for each user, stored in `/var/run/sudo-rs/ts`. These files are named according to the username from which the sudo attempt is made (the origin user).
An issue was discovered in versions prior to 0.2.1 where usernames containing the `.` and `/` characters could result in the corruption of specific files on the filesystem. As usernames are generally not limited by the characters they can contain, a username appearing to be a relative path can be constructed. For example we could add a user to the system containing the username `../../../../bin/cp`. When logged in as a user with that name, that user could run `sudo -K` to clear their session record file. The session code then constructs the path to the session file by concatenating the username to the session file storage directory, resulting in a resolved path of `/bin/cp`. The code then clears that file, resulting in the `cp` binary effectively being removed from the system.
An attacker needs to be able to login as a user with a constructed username. Given that such a username is unlikely to exist on an existing system, they will also need to be able to create the users with the constructed usernames.
The issue is patched in version 0.2.1 of sudo-rs. Sudo-rs now uses the uid for the user instead of their username for determining the filename. Note that an upgrade to this version will result in existing session files being ignored and users will be forced to re-authenticate. It also fully eliminates any possibility of path traversal, given that uids are always integer values.
The `sudo -K` and `sudo -k` commands can run, even if a user has no sudo access. As a workaround, make sure that one's system does not contain any users with a specially crafted username. While this is the case and while untrusted users do not have the ability to create arbitrary users on the system, one should not be able to exploit this issue.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/14/2023
The vulnerability identified as CVE-2023-42456 affects sudo-rs, a memory-safe implementation of the sudo and su commands designed to provide enhanced security through Rust-based development practices. This implementation introduces a session management system that allows users to avoid repeated authentication prompts within a configurable timeout period, storing timestamp files in the /var/run/sudo-rs/ts directory. The system generates session file names based on the originating user's username, creating a potential attack vector through improper input validation and path construction mechanisms. The flaw stems from the assumption that usernames will not contain special characters that could alter the intended filesystem path resolution, particularly characters such as the dot and forward slash that are commonly used in path traversal attacks.
The technical implementation of this vulnerability occurs when sudo-rs processes user session files by directly concatenating the username to the session storage directory path without proper sanitization or validation of the username content. When a user account is created with a specially crafted username containing path traversal sequences such as "../../../../bin/cp", the system's path construction logic resolves these sequences, allowing attackers to target arbitrary files on the filesystem. This represents a classic path traversal vulnerability that maps directly to CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). The attack specifically targets the sudo -K command which clears session records, but the vulnerability extends to any operation that constructs filesystem paths based on user-provided identifiers without proper sanitization.
The operational impact of this vulnerability is significant as it enables attackers with legitimate user access to potentially remove critical system binaries from the filesystem through the session file clearing mechanism. The attack requires both the ability to create user accounts with crafted usernames and to authenticate as those users, making it a privilege escalation vector that could result in complete system compromise. Even if an attacker cannot create accounts, they must be able to login as an existing user with a maliciously crafted username, which would require either pre-existing compromised accounts or the ability to modify existing user accounts. This vulnerability affects system integrity and availability, potentially allowing attackers to remove essential system utilities and binaries, thereby disabling critical system functions.
The mitigation strategy implemented in sudo-rs version 0.2.1 addresses this vulnerability by replacing username-based session file naming with UID-based identifiers, eliminating the possibility of path traversal attacks through user input. This approach aligns with security best practices by using immutable system identifiers rather than potentially malicious user-provided data for critical filesystem operations. The upgrade process requires users to re-authenticate as existing session files are no longer recognized due to the change in naming convention, which is a necessary trade-off for security. This solution also provides protection against other potential attacks that might exploit similar path traversal patterns in user account management systems. The vulnerability's remediation demonstrates the importance of input validation and the principle of least privilege in security implementation, where system identifiers should not be directly derived from potentially malicious user input. Organizations should ensure immediate deployment of sudo-rs version 0.2.1 or later, while also implementing monitoring for suspicious user account creation activities and maintaining strict controls over user account management processes. The vulnerability also highlights the need for robust validation of all user-provided data in system-level operations, particularly when such data is used to construct filesystem paths or execute system commands, as this represents a common attack pattern that can be exploited across multiple system components and security contexts.