Sudo Privilege Escalation Vulnerability via AppArmor Profile Manipulation

A vulnerability in Sudo versions through 1.9.17p2 has been identified, allowing for local privilege escalation. This issue arises from a failure to properly handle setuid, setgid, or setgroups calls during a privilege drop before executing the mailer. The vulnerability can be exploited by loading a restrictive AppArmor profile that denies Sudo the ability to drop root privileges, causing Sudo to execute commands as root with preserved environment variables. The flaw has been acknowledged and fixed in the official Sudo repository.

Impact

Exploitation of this vulnerability allows an unprivileged user to escalate privileges to root by manipulating Sudo's execution of the mailer through a crafted AppArmor profile.

Reproduction

The vulnerability can be reproduced by loading an AppArmor profile that denies Sudo's setuid capability, preventing it from dropping root privileges before executing the mailer. This can be done by writing a profile that denies specific syscalls to Sudo, and then using Sudo to execute a command with a controlled environment variable that triggers the privilege escalation.

Remediation

Users can update to Sudo versions 1.9.17p2-1ubuntu1.1 or 1.9.15p5-3ubuntu5.24.04.2, where this vulnerability has been fixed.