sudo-rs Privilege Escalation Vulnerability via Incorrect UID Timestamp Handling

A vulnerability in sudo-rs versions 0.2.5 through 0.2.9 allows for privilege escalation by improperly handling user authentication timestamps. With the 'Defaults targetpw' or 'Defaults rootpw' options enabled, the software should use the UID of the authenticated user for timestamping. However, it mistakenly records the UID of the invoking user. This error can lead to bypassing authentication requirements, allowing a user with knowledge of one account's password to access other accounts they are permitted to via sudo. This issue is particularly problematic as it enables users to exploit the sudo password management features, such as using their own password to gain root access, undermining the purpose of the targetpw and rootpw settings.

Impact

Exploitation of this vulnerability allows a user with sudo privileges to impersonate other accounts or gain unauthorized root access, depending on the sudoers configuration.

Reproduction

To reproduce this vulnerability, first ensure that sudo-rs is installed and configured with 'Defaults targetpw' or 'Defaults rootpw'. Then, execute a command using sudo while the timestamp is still valid. The authentication will incorrectly reference the invoking user's UID, potentially allowing for unauthorized access to other accounts or root privileges.

Remediation

Users can upgrade to sudo-rs version 0.2.10, which addresses this vulnerability. Precompiled binaries are available on the official GitHub release page.