[sudo-announce] Privilege escalation bug with sudoedit (revised)

Todd C. Miller Todd.Miller at courtesan.com
Thu Apr 15 13:17:43 EDT 2010 

Sudo versions 1.7.2p6 and 1.6.9p22 are now available.  These releases
fix a privilege escalation bug in the sudoedit functionality.

Summary:
    A flaw exists in sudo's -e option (aka sudoedit) in sudo versions
    1.6.8 through 1.7.2p5 that may give a user with permission to
    run sudoedit the ability to run arbitrary commands.  This bug
    is related to, but distinct from, CVE 2010-0426.

Sudo versions affected:
    1.6.8 through 1.7.2p5 inclusive.

Download links:
    http://www.sudo.ws/sudo/dist/sudo-1.7.2p6.tar.gz
    ftp://ftp.sudo.ws/pub/sudo/sudo-1.7.2p6.tar.gz
    http://www.sudo.ws/sudo/dist/sudo-1.6.9p22.tar.gz
    ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.9p22.tar.gz

Details:
    When sudo performs its command matching, there is a special
    case for pseudo-commands in the sudoers file (currently, the
    only pseudo-command is sudoedit).  Unlike a regular command,
    pseudo-commands do not contain a path component.

    Sudo's command matching routine expects actual commands to
    include one or more slash ('/') characters.  The flaw is that
    sudo's path resolution code did not add a "./" prefix to commands
    found in the current working directory.  This creates an ambiguity
    between a "sudoedit" command found in the cwd and the "sudoedit"
    pseudo-command in the sudoers file.  As a result, a user may
    be able to run an arbitrary command named "sudoedit" in the
    current working directory.  For the attack to be successful,
    the PATH environment variable must include "." and may not
    include any other directory that contains a "sudoedit" command.

Impact:
    Exploitation of the bug requires that the sudoers file be
    configured to allow the attacker to run sudoedit.  If no users
    have been granted access to sudoedit there is no impact.
    Additionally, if either the "ignore_dot" or "secure_path" sudoers
    options are enabled the attack will fail.

    Successful exploitation of the bug will allow a user to run
    arbitrary commands for whichever user they have permission to
    run sudoedit as, typically root.

Workaround:
    The "ignore_dot" sudoers option can be enabled which will prevent
    the problem.  For example:

	Defaults ignore_dot

Credit:
    Thanks to Valerio Costamagna for finding the bug and Agazzini
    Maurizio for alerting me to the problem.

See Also:
    http://www.sudo.ws/sudo/alerts/sudoedit_escalate2.html
    http://www.sudo.ws/sudo/alerts/sudoedit_escalate.html

More information about the sudo-announce mailing list