Flaw in Sudo Gives Root Access
A vulnerability in sudo, a command utility for Linux, could allow a user to execute commands as root even if root access has been specifically blocked. Sudo is a utility that allows a system administrator to give specified users or groups, the ability to run commands as any other user including root without having to log in with a different profile. Sudo also logs all commands and arguments in a centralized audit trail system, so admins know which user performed which command and in which context. Admins can also specifically block root access for certain users, as a security policy. The bug allows attackers to bypass this built-in security option to block root access for specified users.
Red Hat explained in a posting that a flaw was found in the way Sudo implemented running commands with arbitrary user ID. If a Sudoers entry allow a user to run a command as any user except root, the flaw allows a hacker to bypass that restriction. Joe Vennix of Apple Information Security, found that the flaw can be exploited by specifying the user ID of the person executing commands to be -1 or 4294967295. The bug resolves the ids to the value 0, which is the user ID for root access. Since Sudo doesn't require a password to run commands in the context of another user, it is easy to exploit.
Linux distributions that contain the ALL keyword in the RunAs specification in the /etc/sudoers configuration file are affected. The ALL keyword allows all users in a specific group to run any command as any valid user on the system and is usually present in default configurations of Linux. Sudo patched the vulnerability in version 1.8.28 but Linux distributions will still have to it out to their users.