Sudo Security Alert

Todd C. Miller Todd.Miller at courtesan.com
Mon Jan 14 21:42:28 EST 2002


Summary:
    A security issue has been found by Sebastian Krahmer of the SuSE
    Security Team in Sudo versions 1.6.0 - 1.6.3p7.  When the Postfix
    sendmail replacement is installed on a machine an attacker may
    be able to gain root privileges by way of Sudo.

Sudo versions affected:
    1.6.0 - 1.6.3p7 (inclusive)

Details:
    Starting with version 1.6.0 Sudo sends mail to the administrator
    as root to prevent the invoking user from killing the mail process
    and thus avoiding logging (in previous versions of Sudo the mail
    was sent as the invoking user).

    The security problem occurs because the environment that the
    "sendmail" program is run with comes from the user (with some
    potentially dangerous variables removed).  It is thus possible for
    an attacker to influence the mail program via environment variables.
    This is compounded by the fact that since Sudo runs the mail program
    with both real and effective uids set to 0 (root) the mailer cannot
    tell that it has been called from a setuid process and thus treat
    the environment with suspicion.

    Currently, the only sendmail replacement known to be affected is
    Postfix but others may be as well.  I did a quick check of the
    current version of Sendmail and it does not appear to trust the
    environment in any significant manner so it is probably safe.
    However, to be on the safe side I recommend that people upgrade to
    Sudo 1.6.4 or 1.6.4p1 which runs the mail program with a clean
    environment.

Sudo web site:
    http://www.sudo.ws/sudo

 - todd



More information about the sudo-announce mailing list