https://arstechnica.com/information-technology/2020/02/serious-flaw-that-lurked-

1. https://arstechnica.com/information-technology/2020/02/serious-flaw-that-lurked-in-sudo-for-9-years-finally-gets-a-patch/
2. “Exploiting the bug does not require sudo permissions, merely that pwfeedback be enabled,” an advisory published by sudo developers said. “The bug can be reproduced by passing a large input to sudo via a pipe when it prompts for a password. An example of exploit code is:
3.  
4. $ perl -e 'print(("A" x 100 . "\x{00}") x 50)' | sudo -S id
5. Password: Segmentation fault
6. The advisory lists two flaws that lead to the vulnerability. The first: pwfeedback isn’t ignored as it should be when reading from something other than a terminal. As a result, the saved version of a line erase character remains at its initialized value of 0. The second contributor is that the code that erases the line of asterisks doesn’t properly reset the buffer position if there is an error writing data. Instead, the code resets only the remaining buffer length.
7.  
8. As a result, input can write past the end of the buffers. Systems with unidirectional pipe allow an attempt to write to the read end of the pipe to result in a write error. Because the remaining buffer length isn’t reset correctly when write errors result from line erasures, the stack buffer can be overflowed.
9.  
10. “If pwfeedback is enabled in sudoers, the stack overflow may allow unprivileged users to escalate to the root account,” the advisory stated. “Because the attacker has complete control of the data used to overflow the buffer, there is a high likelihood of exploitability.
11.  
12. The sudo version history shows that the vulnerability was introduced in 2009 and remained active until 2018, with the release of 1.8.26b1. Systems or software using a vulnerable version should move to version 1.8.31 as soon as practical. Those who can’t update right away can prevent exploits by making sure pwfeedback is disabled. To check its status, run:
13.  
14. sudo -l
15. If pwfeedback is listed in the outputted “Matching Defaults entries,” the sudoers configuration is vulnerable on affected sudo versions. The following is an example of output that indicates a vulnerable sudo configuration:
16.  
17. $ sudo -l
18. Matching Defaults entries for millert on linux-build:
19. insults, pwfeedback, mail_badpass, mailerpath=/usr/sbin/sendmail
20.  
21. User millert may run the following commands on linux-build:
22. (ALL : ALL) ALL
23. Disabling pwfeedback involves using the visudo command to edit the sudoers file and adding an exclamation point so that
24.  
25. Defaults pwfeedback
26. Becomes:
27.  
28. Defaults !pwfeedback
29. The vulnerability was reported by Joe Vennix from Apple’s information security group.