[sudo-announce] Privilege escalation bug with sudoedit
Todd C. Miller
Todd.Miller at courtesan.com
Thu Feb 25 07:28:06 EST 2010
Sudo versions 1.7.2p4 and 1.6.9p21 are now available. These releases
fix a privilege escalation bug in the sudoedit functionality.
Summary:
A flaw in exists in sudo's -e option (aka sudoedit) in sudo
versions 1.6.9 through 1.7.2p3 that may give a user with
permission to run sudoedit the ability to run arbitrary commands.
Sudo versions affected:
1.6.9 through 1.7.2p3 inclusive.
Download links:
http://www.sudo.ws/sudo/dist/sudo-1.7.2p4.tar.gz
ftp://ftp.sudo.ws/pub/sudo/sudo-1.7.2p4.tar.gz
http://www.sudo.ws/sudo/dist/sudo-1.6.9p21.tar.gz
ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.9p21.tar.gz
Details:
When sudo performs its command matching, there is a special
case for pseudo-commands in the sudoers file (currently, the
only pseudo-command is sudoedit). Unlike a regular command,
pseudo-commands do not begin with a slash ('/').
The flaw is that sudo's the matching code would only check
against the list of pseudo-commands if the user-specified command
also contained no slashes. As a result, if the user ran "sudo
./sudoedit" the normal matching code path was followed, which
uses stat(2) to verify that the user-specified command matches
the one in sudoers. In this case, it would compare the
"./sudoedit" specified by the user with "sudoedit" from the
sudoers file, resulting in a positive match.
Impact:
Exploitation of the bug requires that the sudoers file be
configured to allow the attacker to run sudoedit. If no users
have been granted access to sudoedit there is no impact.
Successful exploitation of the bug will allow a user to run
arbitrary commands for whichever user they have permission to
run sudoedit as, typically root.
Credit:
This problem was brought to my attention by Glenn Waller and
neonsignal.
See Also:
http://www.sudo.ws/sudo/alerts/sudoedit_escalate.html
More information about the sudo-announce
mailing list