In late 2022, a vulnerability was discovered in the popular Linux utility Sudo. Tracked as CVE-2022-43995, this bug affects Sudo versions 1.8. through 1.9.12 only when configured to use the crypt() password backend. Due to an array-out-of-bounds issue in the plugins/sudoers/auth/passwd.c file, a user entering a password with 7 or fewer characters can trigger a heap-based buffer over-read. This post will break down the vulnerability, show a simplified code snippet, demonstrate a proof-of-concept, and offer references for deeper study.
What Is Sudo & Why Does This Matter?
Sudo is a core utility on Unix and Linux systems that lets trusted users run commands as another user, usually the superuser. Any security flaw in Sudo is concerning, since it can be directly exploited for privilege escalation or to glean sensitive information.
Where’s the Bug?
The bug lives in Sudo’s authentication code, specifically when verifying passwords via the classic Unix crypt() function:
- If a user is prompted by Sudo for a password, and they enter 7 characters or fewer, Sudo’s code can read outside of the password buffer in memory.
- The exact consequences depend on your OS, processor, and how your system’s libraries are built — but outcomes can include crashes or, sometimes, secrets being accidentally leaked to the attacker.
The Code: Vulnerable Excerpt
Here’s a simplified version of the buggy code, focusing on where the out-of-bounds condition happens:
// This code lives in plugins/sudoers/auth/passwd.c
char buffer[8];
size_t len = strlen(user_input_password); // user_input_password: whatever the attacker typed
// ...
memcpy(buffer, user_input_password, 8); // Copies up to 8 bytes, even if input is shorter
// ...
char *crypted = crypt(buffer, salt);
if (strcmp(crypted, system_shadow_entry) == ) {
// Password matches, authenticate
}
What’s Wrong?
When the user enters less than 8 chars, memcpy copies their input over but leaves the rest of buffer with whatever random data was in memory. Then the code crypts and compares the result — but now with unpredictable content in buffer. This can accidentally leak data via timing or error messages.
Exploit: Can This Be Used in the Real World?
TL;DR:
*On its own, this bug will not let you instantly root a system. But...*
Crash Sudo (heap-based buffer over-read can trigger segfaults).
2. Leak heap data, *potentially* extracting sensitive secrets (like passwords, or authentication tokens) via repeated probes and timing side-channels.
Terminal Example
$ sudo -l
[sudo] password for victim: 123456
[sudo] password for victim: 1234567
[sudo] password for victim: qwerty
...
Every short password entered causes a heap over-read in Sudo (if the system uses crypt() backend).
With some builds, this bug causes Sudo to crash – a denial of service.
- On others, careful attackers could scan memory layout or, in rare cases, leak sensitive tokens or secrets.
No public exploit achieves full privilege escalation *yet*, but attackers usually start from memory over-reads and escalate as they find combos with other bugs.
Upgrade to Sudo 1.9.12p1 (or newer), where the bug is patched.
Monitor logs for repeated Sudo authentication failures — could indicate probing.
Patched Code:
The patch initializes the buffer before use
char buffer[8] = {}; // Guarantees any unused bytes are zeroed
size_t len = strlen(user_input_password);
if (len > 8) len = 8;
memcpy(buffer, user_input_password, len); // Now no out-of-bounds read
Learn More
- Mitre CVE Record CVE-2022-43995
- Sudo Security Announcements
- Source Patch
Final Thoughts: Is My System At Risk?
Most modern Linux systems use *PAM* for Sudo authentication, and never touch the crypt() backend. But if you’re on legacy Unix, old Linux, or custom builds, check your Sudo version and auth settings!
Have a system that needs to stay secure? Don’t wait — patch today.
*This post presents an exclusive, easy-to-understand technical breakdown suitable for security professionals and curious sysadmins alike. Stay safe!*
Timeline
Published on: 11/02/2022 14:15:00 UTC
Last modified on: 12/06/2022 00:15:00 UTC