da Masu binciken tsaro na Qualys sun gano mawuyacin rauni (CVE-2021-3156) a cikin amfanin sudo, wanda aka tsara don tsara hukuncin kisa a madadin sauran masu amfani.
Ularfafawa ba da izini ba da izini ba tare da tushen gata. Matsalar kowane mai amfani zai iya amfani dashi, ba tare da kasancewa a cikin rukunin tsarin da kasancewar shigarwa a cikin fayil / sauransu / sudoers ba.
Harin baya buƙatar shigar da kalmar sirrin mai amfani, ma'ana, mai rauni zai iya amfani da shi daga wani mutum na waje don ɗaukaka gata a kan tsarin bayan an sami rauni a cikin tsarin da ba na dama ba (gami da waɗanda aka fara da mai amfani da "ba wanda").
Don bincika yanayin rauni a kan tsarin ku, kawai aiwatar da umarnin "sudoedit -s /" kuma yanayin rauni yana nan idan an nuna saƙon kuskure da ya fara da "sudoedit:".
Game da rauni
Rashin lafiyar ya bayyana ne tun a watan Yulin 2011 kuma yana haifar da ambaliyar ajiya a cikin sarrafa haruffan tsere na layi a cikin sigogin da aka yi niyyar aiwatar da umarni a cikin yanayin harsashi. An kunna yanayin harsashi ta hanyar tantance takaddun "-i" ko "-s" kuma yana haifar da zartar da umarnin ba kai tsaye ba, amma ta hanyar ƙarin kiran harsashi tare da tutar "-c" ("sh -c umarnin»).
Layin da ke ƙasa shi ne cewa lokacin da ake amfani da sudo utility kullum, yana tserewa daga haruffa na musamman ta hanyar tantance zaɓin "-i" da "-s", amma lokacin da aka fara amfani da sudoedit, sigogin ba su tsere, kamar yadda parse_args () Aikin yana saita canjin yanayi MODE_EDIT maimakon MODE_SHELL kuma baya sake saita ƙimar "valid_flags".
Hakan kuma, watsawa mara halin tsira yana haifar da yanayi don wani kuskure ya bayyana a cikin mai sarrafawa, wanda ke cire haruffan tserewa kafin bincika dokokin sudoer.
Mai sarrafawa yayi kuskuren bayyanar kasancewar halayen baya ba tare da tserewa a ƙarshen layin ba, yana la'akari da cewa wannan koma baya ya tsere da ƙarin halayya ɗaya kuma yana ci gaba da karanta bayanai sama da iyakar layin, kwafe shi zuwa maɓallin "mai amfani_args" da sake rubuta wuraren ƙwaƙwalwar ajiyar a wajen ma'ajin.
Kuma an ambaci cewa yayin ƙoƙarin yin amfani da ƙimomin da ke cikin layin umarni na sudoedit, maharin zai iya cimma alfanun layin da za a sake rubutawa a cikin bayanan da ke shafar aikin na gaba.
Baya ga ƙirƙirar amfani da shi yana sauƙaƙa gaskiyar cewa maharin yana da cikakken iko akan girman mabuɗin mai amfani, wanda ya yi daidai da girman duk maganganun da aka gabatar, sannan kuma yana sarrafa girman da abun cikin bayanan da aka rubuta a waje na ma'ajin ta amfani masu canjin yanayi.
Masu binciken tsaro na Qualys sun sami nasarar shirya abubuwa guda uku, wadanda aikinsu ya ta'allaka ne akan sake rubutun abinda sudo_hook_entry, service_user da def_timestampdir suka yi:
- Ta hanyar zubar da sudo_hook_entry wani binary mai suna "SYSTEMD_BYPASS_USERDB" za'a iya gudanar dashi azaman tushe.
- Ridarfafa sabis_user ya gudanar da lambar sabani azaman tushe.
- Ta hanyar overriding def_timestampdir, yana yiwuwa a watsa abubuwanda ke cikin sudo tari, gami da masu canjin yanayi, cikin fayil / da sauransu / passwd, da cimma nasarar maye gurbin mai amfani da tushen gata.
Masu binciken sun nuna cewa amfani da aiki don samun cikakken gatan tushen akan Ubuntu 20.04, Debian 10 da Fedora 33.
Ularfafawa ana iya amfani da shi akan sauran tsarin aiki da rarrabawa, amma tabbaci na masu binciken ya takaita ne ga Ubuntu, Debian da Fedora, kuma an ambaci cewa dukkan nau'ikan sudo 1.8.2 zuwa 1.8.31p2 da 1.9.0 zuwa 1.9.5p1 a cikin saitunan da aka saba. Shawara bayani a cikin sudo 1.9.5p2.
Masu binciken sun sanar da masu ci gaba a gaba masu rarrabawa waɗanda tuni suka saki abubuwan sabuntawa ta hanyar haɗin kai: Debian, RHEL, Fedor, Ubuntu, SUSE / openSUSE, Arch Linux, Slackware, Gentoo, da FreeBSD.
Finalmente idan kuna sha'awar ƙarin sani game da shi game da yanayin rauni, zaka iya bincika bayanan A cikin mahaɗin mai zuwa.