Potential bypass of sudo_noexec.so via wordexp()

A flaw exists in sudo’s noexec functionality that may allow a user with sudo privileges to run additional commands even when the NOEXEC tag has been applied to a command that uses the wordexp() function.

1.6.8 through 1.8.18 inclusive.

This vulnerability has been assigned CVE-2016-7076 in the Common Vulnerabilities and Exposures database.

Sudo supports an optional setting to prevent the command being executed from executing further commands. On most platforms this is implemented as a dynamic shared object file that is loaded by the dynamic loader when sudo sets the LD_PRELOAD environment variable to the fully-qualified path of sudo_noexec.so. The sudo_noexec.so file prevents the execution of further commands by replacing the functions that would otherwise execute a new command with versions that always return an error.

Versions of sudo prior to 1.8.18p1 did not replace the wordexp() function which may be used to run commands when the WRDE_NOCMD flag is not specified.

Exploitation of the bug requires that the sudoers file be configured such that either the noexec Defaults setting is enabled or the NOEXEC tag is applied to a command that calls the wordexp() function without specifying the WRDE_NOCMD flag.

Successful exploitation of the bug will allow a user to additional commands even when the NOEXEC tag is specified for a command or the noexec Defaults setting is in effect.

The bug was fixed in sudo 1.8.18p1. When noexec is enabled, sudo now wraps the wordexp() function and always adds the WRDE_NOCMD flag before calling the C library version of the function. Additionally, on Linux systems that support seccomp filters, access to the execve() system call has been disabled entirely.

This problem was reported by Florian Weimer who also suggested using a seccomp filter on Linux.