Global infos:

Sudo through 1.8.29 allows local users to escalate to root if they have write access to file descriptor 3 of the sudo process. This occurs because of a race condition between determining a uid, and the setresuid and openat system calls. The attacker can write "ALL ALL=(ALL) NOPASSWD:ALL" to /proc/#####/fd/3 at a time when Sudo is prompting for a password. NOTE: This has been disputed due to the way Linux /proc works. It has been argued that writing to /proc/#####/fd/3 would only be viable if you had permission to write to /etc/sudoers. Even with write permission to /proc/#####/fd/3, it would not help you write to /etc/sudoers

CVE Status: Modified

References:

[email protected]

af854a3a-2127-422b-91ae-364da2661108

Metrics:

Attribute	Value
Attack Complexity	HIGH
Attack Vector	LOCAL
Availability Impact	HIGH
Base Score	7
Base Severity	HIGH
Confidentiality Impact	HIGH
Integrity Impact	HIGH
Privileges Required	LOW
Scope	UNCHANGED
User Interaction	NONE
Vector String	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitability Score	1
Impact Score	5.9
Source	[email protected]
Type	Primary

Links:

Exploit-db
Github