[sudo-announce] Privilege escalation bug with sudoedit (revised)
Todd C. Miller
Todd.Miller at courtesan.com
Thu Apr 15 13:17:43 EDT 2010
Sudo versions 1.7.2p6 and 1.6.9p22 are now available. These releases
fix a privilege escalation bug in the sudoedit functionality.
A flaw exists in sudo's -e option (aka sudoedit) in sudo versions
1.6.8 through 1.7.2p5 that may give a user with permission to
run sudoedit the ability to run arbitrary commands. This bug
is related to, but distinct from, CVE 2010-0426.
Sudo versions affected:
1.6.8 through 1.7.2p5 inclusive.
When sudo performs its command matching, there is a special
case for pseudo-commands in the sudoers file (currently, the
only pseudo-command is sudoedit). Unlike a regular command,
pseudo-commands do not contain a path component.
Sudo's command matching routine expects actual commands to
include one or more slash ('/') characters. The flaw is that
sudo's path resolution code did not add a "./" prefix to commands
found in the current working directory. This creates an ambiguity
between a "sudoedit" command found in the cwd and the "sudoedit"
pseudo-command in the sudoers file. As a result, a user may
be able to run an arbitrary command named "sudoedit" in the
current working directory. For the attack to be successful,
the PATH environment variable must include "." and may not
include any other directory that contains a "sudoedit" command.
Exploitation of the bug requires that the sudoers file be
configured to allow the attacker to run sudoedit. If no users
have been granted access to sudoedit there is no impact.
Additionally, if either the "ignore_dot" or "secure_path" sudoers
options are enabled the attack will fail.
Successful exploitation of the bug will allow a user to run
arbitrary commands for whichever user they have permission to
run sudoedit as, typically root.
The "ignore_dot" sudoers option can be enabled which will prevent
the problem. For example:
Thanks to Valerio Costamagna for finding the bug and Agazzini
Maurizio for alerting me to the problem.
More information about the sudo-announce