October 26, 2016
A flaw exists in sudo's noexec
functionality that may allow
a user with sudo privileges to run additional commands even when
tag has been applied to a command that uses
either the system() or popen() functions.
Sudo versions affected:
1.6.8 through 1.8.14p3 inclusive.
This vulnerability has been assigned CVE-2016-7032
in the Common
Vulnerabilities and Exposures
Sudo supports an optional setting to prevent the command being
executed from executing further commands. On most platforms this
is implemented as a dynamic shared object file that is loaded by
the dynamic loader when sudo sets the LD_PRELOAD
variable to the fully-qualified path of sudo_noexec.so
file prevents the execution of further
commands by replacing functions that would otherwise execute a
new command with versions that always return an error.
Versions of sudo prior to 1.8.15 relied on replacing the exec()
family of functions which are used by higher level functions such
as system() and popen() to run commands. However, some systems, notably
Linux with the GNU C library, use internal (private) symbol names
when calling functions (and system calls) defined within the C
library itself. This means that, for instance, the system() function
calls an internal symbol instead of the globally-visible execve()
symbol. As a result, it is not possible for sudo_noexec.so to
prevent commands from being executed by system() or popen() by
Both system() and popen() invoke the shell, /bin/sh, when
executing commands. Unlike the C library, the shell uses the
globally-visible execve() symbol when executing a command. This
means that while the shell itself can be executed, it is unable to
run external commands. However, it is still possible to use shell
built-in commands and I/O redirection. As such, it may be possible
for a malicious user to modify system files, potentially including
the sudoers file itself.
Exploitation of the bug requires that the sudoers file be configured
such that either the noexec
Defaults setting is enabled
or the NOEXEC
tag is applied to commands a malicious user
Successful exploitation of the bug will allow a user to run shell
built-in command or modify the file system using I/O redirection
even when the NOEXEC tag is specified for a command or
the noexec Defaults setting is in effect.
The bug was fixed in sudo 1.8.15 which wraps the system() and popen()
The ability to bypass noexec
using shell built-in commands
and I/O redirection was reported by Florian Weimer.