October 26, 2016
A flaw exists in sudo's noexec
functionality that may allow
a user with sudo privileges to run additional commands even when
tag has been applied to a command that uses the
Sudo versions affected:
1.6.8 through 1.8.18 inclusive.
This vulnerability has been assigned CVE-2016-7076
in the Common
Vulnerabilities and Exposures
Sudo supports an optional setting to prevent the command being
executed from executing further commands. On most platforms this
is implemented as a dynamic shared object file that is loaded by
the dynamic loader when sudo sets the LD_PRELOAD
variable to the fully-qualified path of sudo_noexec.so
file prevents the execution of further
commands by replacing the functions that would otherwise execute a
new command with versions that always return an error.
Versions of sudo prior to 1.8.18p1 did not replace the wordexp()
function which may be used to run commands when the WRDE_NOCMD
flag is not specified.
Exploitation of the bug requires that the sudoers file be configured
such that either the noexec
Defaults setting is enabled
or the NOEXEC
tag is applied to a command that calls the
wordexp() function without specifying the WRDE_NOCMD
Successful exploitation of the bug will allow a user to additional
commands even when the NOEXEC tag is specified for a command
or the noexec Defaults setting is in effect.
The bug was fixed in sudo 1.8.18p1. When noexec
sudo now wraps the wordexp() function and always adds the
flag before calling the C library version of
the function. Additionally, on Linux systems that support seccomp
filters, access to the execve() system call has been disabled
This problem was reported by Florian Weimer who also suggested
using a seccomp filter on Linux.