November 8, 2005
A flaw in exists in sudo's environment sanitizing prior to sudo
version 1.6.8p12 that could allow a malicious user with permission
to run a perl script to execute arbitrary perl code.
Sudo versions affected:
All versions prior to 1.6.8p12.
This vulnerability has been assigned CVE-2004-1051
in the Common
Vulnerabilities and Exposures
The PERL5LIB and PERLLIB environment variables can be used to provide a
list of directories in which to look for perl library files before the
system directories are searched. It is similar in concept to the
LD_LIBRARY_PATH environment variables, only for perl. These variables
are ignored if "tainting" is enabled (via the -T switch). The
PERL5OPT environment variable specifies additional command line
options to be passed to the script which may modify its behavior.
Malicious users with sudo access to run a perl script can use these
variables to include and execute their own library file with the
same name as a system library file that is included (via the "use"
or "require" directives) by the perl script run via sudo.
Exploitation of the bug requires that perl be installed on the
machine and that users be granted sudo access to run perl scripts
that do not have tainting turned on.
The bug is fixed in sudo 1.6.8p12.
The administrator can add a line at the top of the sudoers file:
Defaults env_delete+="PERLLIB PERL5LIB PERL5OPT"
which will cause sudo to strip the PERLLIB, PERL5LIB and PERL5OPT environment
variables without requiring a recompile.
Alternately, the administrator can add a line to the top of sudoers file:
which will reset the environment to only contain the variables
HOME, LOGNAME, PATH, SHELL, TERM, and USER, also preventing this attack.
This problem was brought to my attention by Charles Morris.