A flaw was found in the way sudo implemented running commands with arbitrary user ID. If a sudoers entry is written to allow the attacker to run a command as any user except root, this flaw can be used by the attacker to bypass that restriction.

This flaw only affects specific, non-default configurations of sudo, in which sudoers configuration entry allows a user to run a command as any user except root, for example:

jjames ALL = (ALL, !root) /usr/bin/vim

In this configuration, user jjames is authorised to run vim as any user other than sudo.

This configuration allows user jjames to run vi command as any other user except root. However, this flaw also allows bob to run the vi command as root by specifying the target user using the numeric id of -1. Only the specified command can be run, this flaw does NOT allow user to run other commands that those specified in the sudoers configuration.

Please see the below examples

I am trying to run vim as sudo

~|⇒ sudo vim

You will get an error message here says,

Sorry, user jjames not allowed to execuite  vim as root on ubuntu

to Exploit this, please specify the user id with-1

~|⇒ sudo -u#-1 vim

vim editor will open. You can edit and save file

To ensure your sudoers configuration is not affected by this vulnerability, we recommend examining each sudoers entry that includes the ! character in the runas specification, to ensure that the root user is not among the exclusions. These can be found in the /etc/sudoers file or files under /etc/sudoers.d.