[sudo-announce] Sudo version 1.6.8p11 now available, fixes security issue.
Todd C. Miller
Todd.Miller at courtesan.com
Tue Nov 1 11:59:48 EST 2005
Sudo version 1.6.8, patchlevel 11 is now available, which fixes a
security issue with bash scripts run via sudo.
Summary:
A flaw in exists in sudo's environment sanitizing prior to sudo
version 1.6.8p10 that could allow a malicious user with permission
to run a shell script that utilized the bash shell to run
arbitrary commands. The /bin/sh shell on most (if not all)
Linux and Mac OS X systems is bash.
Sudo versions affected:
Sudo versions 1.3.1 up to and including 1.6.8p9.
Details:
The bash shell uses the value of the PS4 environment variable
(after expansion) as a prefix for commands run in execution
trace mode. Execution trace mode (xtrace) is normally set via
bash's -x command line option or interactively by running "set
-o xtrace". However, it may also be enabled by placing the
string "xtrace" in the SHELLOPTS environment variable before
bash is started.
A malicious user with sudo access to a shell script that uses
bash can use this feature to run arbitrary commands for each
line of the script.
Impact:
Exploitation of the bug requires that the bash shell be installed
on the machine and that users be granted sudo access to run
scripts written in bash. On most (if not all) Linux and Mac
OS X systems, /bin/sh is bash so /bin/sh scripts are affected
by this as well.
Fix:
The bug is fixed in sudo 1.6.8p10 and higher.
Workaround:
The administrator can add a line at the top of the sudoers file:
Defaults env_delete+="PS4 SHELLOPTS"
which will cause sudo to strip the PS4 and SHELLOPTS environment
variables without requiring a recompile.
Alternately, the administrator can add a line to the top of
sudoers file:
Defaults env_reset
which will reset the environment to only contain the variables
HOME, LOGNAME, PATH, SHELL, TERM, and USER, also preventing
this attack.
Credit:
This problem was found by Tavis Ormandy.
Other changes in patchlevel 11:
A change was also made in patchlevel 11 to exclude the
JAVA_TOOL_OPTIONS variable from the environment before executing
a command. This prevents a user from passing arbitrary arguments
to java 5.
The next major Sudo release will be version 1.7. For information
on what to expect in sudo 1.7, see http://www.sudo.ws/sudo/future.html
Master Web Site:
http://www.sudo.ws/sudo/
Web Site Mirrors:
http://www.mirrormonster.com/sudo/ (Fremont, California, USA)
http://sudo.stikman.com/ (Los Angeles, California, USA)
http://sudo.tolix.org/ (California, USA)
http://mirage.informationwave.net/sudo/ (Fanwood, New Jersey, USA)
http://www.mrv2k.net/sudo/ (Bend, Oregon, USA)
http://sudo.rtin.bz/ (Philadelphia, Pennsylvania, USA)
http://www.signal42.com/mirrors/sudo_www/ (USA)
http://sudo.xmundo.net/ (Argentina)
http://sudo.planetmirror.com/ (Australia)
http://www.bangladesh-linux-info.org/sudo/sudo.html (Bangladesh)
http://mirror.mons-new-media.de/sudo/ (Germany)
http://sudo.miscellaneousmirror.org/ (Cologne, Germany)
http://sunshine.lv/sudo/ (Latvia)
http://rexem.uni.cc/sudo/ (Kaunas, Lithuania)
http://sudo.cdu.elektra.ru/ (Russia)
http://sudo.nctu.edu.tw/ (Taiwan)
FTP Mirrors:
ftp://ftp.sudo.ws/pub/sudo/ (Frisco, Texas, USA)
ftp://plier.ucar.edu/pub/sudo/ (Boulder, Colorado, USA)
ftp://ftp.cs.colorado.edu/pub/sudo/ (Boulder, Colorado, USA)
ftp://obsd.isc.org/pub/sudo/ (Redwood City, California, USA)
ftp://ftp.stikman.com/pub/sudo/ (Los Angeles, California, USA)
ftp://ftp.tux.org/pub/security/sudo/ (Beltsville, Maryland, USA)
ftp://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/sudo/ (West Lafayette, Indiana, USA)
ftp://ftp.uwsg.indiana.edu/pub/security/sudo/ (Bloomington, Indiana, USA)
ftp://mirror.sg.depaul.edu/pub/security/sudo/ (Chicago, Illinois, USA)
ftp://sudo.xmundo.net/pub/mirrors/sudo/ (Argentina)
ftp://ftp.wiretapped.net/pub/security/host-security/sudo/ (Australia)
ftp://ftp.tuwien.ac.at/utils/admin-tools/sudo/ (Austria)
ftp://sunsite.ualberta.ca/pub/Mirror/sudo/ (Alberta, Canada)
ftp://ftp.csc.cuhk.edu.hk/pub/packages/unix-tools/sudo/ (Hong Kong, China)
ftp://ftp.eunet.cz/security/sudo/ (Czech Republic)
ftp://ftp.ujf-grenoble.fr/sudo/ (France)
ftp://netmirror.org/ftp.sudo.ws/ (Frankfurt, Germany)
ftp://ftp.win.ne.jp/pub/misc/sudo/ (Japan)
ftp://ftp.st.ryukoku.ac.jp/pub/security/tool/sudo/ (Japan)
ftp://ftp.cin.nihon-u.ac.jp/pub/misc/sudo/ (Japan)
ftp://core.ring.gr.jp/pub/misc/sudo/ (Japan)
ftp://ftp.ring.gr.jp/pub/misc/sudo/ (Japan)
ftp://ftp.tpnet.pl/d6/ftp.sudo.ws/ (Poland)
ftp://ftp.cdu.elektra.ru/pub/unix/security/sudo/ (Russia)
ftp://ftp.nsysu.edu.tw/Unix/Security/Sudo/ (Taiwan)
HTTP Mirrors:
http://www.sudo.ws/sudo/dist/ (Frisco, Texas, USA)
http://www.mirrormonster.com/sudo/dist/ (Fremont, California, USA)
http://sudo.tolix.org/ftp/ (California, USA)
http://sudo.mirror99.com/ (San Jose, California, USA)
http://www.signal42.com/mirrors/sudo_ftp/ (California, USA)
http://probsd.org/sudoftp/ (East Coast, USA)
http://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/sudo/ (West Lafayette, Indiana, USA)
http://www.signal42.com/mirrors/sudo_ftp/ (California, USA)
http://www.ip97.com/sudo/ (Dallas, Texas, USA)
http://netmirror.org/mirror/ftp.sudo.ws/ (Frankfurt, Germany)
http://mirror.mons-new-media.de/sudo_ftp/ (Frankfurt, Germany)
http://core.ring.gr.jp/archives/misc/sudo/ (Japan)
http://www.ring.gr.jp/archives/misc/sudo/ (Japan)
http://ftp.tpnet.pl/vol/d6/ftp.sudo.ws/ (Poland)
http://sudo.tsuren.net/dist/ (Moscow, Russian Federation)
http://ftp.nsysu.edu.tw/Unix/Security/Sudo/ (Taiwan)
More information about the sudo-announce
mailing list