[sudo-announce] Privilege escalation bug with sudoedit

Todd C. Miller Todd.Miller at courtesan.com
Thu Feb 25 07:28:06 EST 2010


Sudo versions 1.7.2p4 and 1.6.9p21 are now available.  These releases
fix a privilege escalation bug in the sudoedit functionality.

Summary:
    A flaw in exists in sudo's -e option (aka sudoedit) in sudo
    versions 1.6.9 through 1.7.2p3 that may give a user with
    permission to run sudoedit the ability to run arbitrary commands.

Sudo versions affected:
    1.6.9 through 1.7.2p3 inclusive.

Download links:
    http://www.sudo.ws/sudo/dist/sudo-1.7.2p4.tar.gz
    ftp://ftp.sudo.ws/pub/sudo/sudo-1.7.2p4.tar.gz
    http://www.sudo.ws/sudo/dist/sudo-1.6.9p21.tar.gz
    ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.9p21.tar.gz

Details:
    When sudo performs its command matching, there is a special
    case for pseudo-commands in the sudoers file (currently, the
    only pseudo-command is sudoedit).  Unlike a regular command,
    pseudo-commands do not begin with a slash ('/').

    The flaw is that sudo's the matching code would only check
    against the list of pseudo-commands if the user-specified command
    also contained no slashes.  As a result, if the user ran "sudo
    ./sudoedit" the normal matching code path was followed, which
    uses stat(2) to verify that the user-specified command matches
    the one in sudoers.  In this case, it would compare the
    "./sudoedit" specified by the user with "sudoedit" from the
    sudoers file, resulting in a positive match.

Impact:
    Exploitation of the bug requires that the sudoers file be
    configured to allow the attacker to run sudoedit.  If no users
    have been granted access to sudoedit there is no impact.

    Successful exploitation of the bug will allow a user to run
    arbitrary commands for whichever user they have permission to
    run sudoedit as, typically root.

Credit:
    This problem was brought to my attention by Glenn Waller and
    neonsignal.

See Also:
    http://www.sudo.ws/sudo/alerts/sudoedit_escalate.html



More information about the sudo-announce mailing list