A flaw was found in the way sudo implemented running commands with arbitrary user ID. If a sudoers entry is written to allow the attacker to run a command as any user except root, this flaw can be used by the attacker to bypass that restriction.
This flaw only affects specific, non-default configurations of sudo, in which sudoers configuration entry allows a user to run a command as any user except root, for example:
jjames ALL = (ALL, !root) /usr/bin/vim
In this configuration, user jjames is authorised to run vim as any user other than sudo.
This configuration allows user jjames to run vi command as any other user except root. However, this flaw also allows bob to run the vi command as root by specifying the target user using the numeric id of -1. Only the specified command can be run, this flaw does NOT allow user to run other commands that those specified in the sudoers configuration.
Please see the below examples
I am trying to run vim as sudo
~|⇒ sudo vim Password:
You will get an error message here says,
Sorry, user jjames not allowed to execuite vim as root on ubuntu
to Exploit this, please specify the user id with-1
~|⇒ sudo -u#-1 vim Password:
vim editor will open. You can edit and save file
To ensure your sudoers configuration is not affected by this vulnerability, we recommend examining each sudoers entry that includes the
! character in the runas specification, to ensure that the root user is not among the exclusions. These can be found in the /etc/sudoers file or files under /etc/sudoers.d.