Fixed Sudo flaw in macOS gave root-command privileges to all users

Sudo is an important utility within macOS and other Unix-based systems, including Linux, with it typically used to run administrative commands with the security privileges of a superuser or "root." It is a well-used element of system maintenance and configuration via the Terminal, and has the potential to cause havoc if misused.

Found by Apple security employee Joe Vennix, the vulnerability in sudo is a privilege escalation vulnerability, one that has been given the tracking code CVE-2019-18634. At its core, the vulnerability can allow a user that doesn't typically have permissions to perform tasks that require administrative access to do just that.

For versions of sudo before 1.8.26, The Hacker News reports a stack-based buffer overflow issue is present, requiring the "pwfeedback" option to be enabled within the sudoers configuration file. The feature provides users with an asterisk when they input a password into Terminal.

Though it is not typically enabled by default in many packages if pwfeedback is enabled, the exploit itself can be performed by any user of a system, even without access to the sudo permissions.

According to sudo developer Todd C. Miller, the bug can be observed "by passing a large input to sudo via a pipe when it prompts for a password." As the attacker has "complete control of the data used to overflow the buffer," this means there is a "high likelihood of exploitability."

Last week, Apple released a patch update for macOS High Sierra 10.13.6, macOS Mojave 10.14.6, and macOS Catalina 10.15.2 to fix the problem. Vennix reported the issue to the sudo maintainer team, which has released a patch fixing the problem, bringing sudo up to 1.8.31.

The issuance of the patches, as well as the unlikelihood of having pwfeedback enabled from the outset makes it improbable that most users will be affected by attacks using the vulnerability.

Even so, end users are able to check if their Mac is still affected by running the command "sudo -l" in the macOS Terminal, and seeing if pwfeedback is listed under "Matching Defaults entries." In cases where it is enabled but macOS wasn't patched, it can be disabled by changing "Defaults pwfeedback" to "Defaults !pwfeedback" within the sudoers configuration file.

This is not the first sudo issue Vennix has uncovered. In 2019, an exploit allowed bad actors to similarly run commands as root, by specifiying their user ID as "-1" or "4294967295."