Sudo
GitHub Blog Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

Potential bypass of sudo_noexec.so on Linux

A flaw exists in sudo’s noexec functionality that may allow a user with sudo privileges to run additional commands even when the NOEXEC tag has been applied to a command that uses either the system() or popen() functions.

Sudo versions affected:

1.6.8 through 1.8.14p3 inclusive.

CVE ID:

This vulnerability has been assigned CVE-2016-7032 in the Common Vulnerabilities and Exposures database.

Details:

Sudo supports an optional setting to prevent the command being executed from executing further commands. On most platforms this is implemented as a dynamic shared object file that is loaded by the dynamic loader when sudo sets the LD_PRELOAD environment variable to the fully-qualified path of sudo_noexec.so. The sudo_noexec.so file prevents the execution of further commands by replacing functions that would otherwise execute a new command with versions that always return an error.

Versions of sudo prior to 1.8.15 relied on replacing the exec() family of functions which are used by higher level functions such as system() and popen() to run commands. However, some systems, notably Linux with the GNU C library, use internal (private) symbol names when calling functions (and system calls) defined within the C library itself. This means that, for instance, the system() function calls an internal symbol instead of the globally-visible execve() symbol. As a result, it is not possible for sudo_noexec.so to prevent commands from being executed by system() or popen() by replacing execve().

Both system() and popen() invoke the shell, /bin/sh, when executing commands. Unlike the C library, the shell uses the globally-visible execve() symbol when executing a command. This means that while the shell itself can be executed, it is unable to run external commands. However, it is still possible to use shell built-in commands and I/O redirection. As such, it may be possible for a malicious user to modify system files, potentially including the sudoers file itself.

Impact:

Exploitation of the bug requires that the sudoers file be configured such that either the noexec Defaults setting is enabled or the NOEXEC tag is applied to commands a malicious user could run.

Successful exploitation of the bug will allow a user to run shell built-in command or modify the file system using I/O redirection even when the NOEXEC tag is specified for a command or the noexec Defaults setting is in effect.

Fix:

The bug was fixed in sudo 1.8.15 which wraps the system() and popen() functions directly.

Credit:

The ability to bypass noexec using shell built-in commands and I/O redirection was reported by Florian Weimer.