Sudo
GitHub Blog Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
Buffer overflow in command line unescaping
A serious heap-based buffer overflow has been discovered in sudo that is exploitable by any local user. It has been given the name Baron Samedit by its discoverer. The bug can be leveraged to elevate privileges to root, even if the user is not listed in the sudoers file. User authentication is not required to exploit the bug. Sudo versions affected: Sudo versions 1.7.7 through 1.7.10p9, 1.8.2 through 1.8.31p2, and 1. ...
Symbolic link attack in SELinux-enabled sudoedit
On systems where SELinux is enabled, sudo’s RBAC support allows a command to be run with a user-specified role and/or type. In order to transition to the target SELinux security context, sudo runs the command through the sesh helper program. When sudo is invoked as sudoedit, sesh is used to first create the editor temporary files with the proper security context and then, once the editor has run, to copy the edited temporary files to their original locations. ...
Buffer overflow when pwfeedback is set in sudoers
Sudo’s pwfeedback option can be used to provide visual feedback when the user is inputting their password. For each key press, an asterisk is printed. This option was added in response to user confusion over how the standard Password: prompt disables the echoing of key presses. While pwfeedback is not enabled by default in the upstream version of sudo, some systems, such as Linux Mint and Elementary OS, do enable it in their default sudoers files. ...
Potential bypass of Runas user restrictions
When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295. This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification. ...
Potential file overwrite or tty access on Linux
On Linux systems, sudo parses the /proc/[pid]/stat file to determine the device number of the process’s tty (field 7). The fields in the file are space-delimited, but it is possible for the command name (field 2) to include white space (including newline), which sudo does not account for. A user with sudo privileges can cause sudo to use a device number of the user’s choosing by creating a symbolic link from the sudo binary to a name that contains white space followed by a number. ...
Potential bypass of sudo_noexec.so on Linux
A flaw exists in sudo’s noexec functionality that may allow a user with sudo privileges to run additional commands even when the NOEXEC tag has been applied to a command that uses either the system() or popen() functions. Sudo versions affected: 1.6.8 through 1.8.14p3 inclusive. CVE ID: This vulnerability has been assigned CVE-2016-7032 in the Common Vulnerabilities and Exposures database. Details: Sudo supports an optional setting to prevent the command being executed from executing further commands. ...
Potential bypass of sudo_noexec.so via wordexp()
A flaw exists in sudo’s noexec functionality that may allow a user with sudo privileges to run additional commands even when the NOEXEC tag has been applied to a command that uses the wordexp() function. Sudo versions affected: 1.6.8 through 1.8.18 inclusive. CVE ID: This vulnerability has been assigned CVE-2016-7076 in the Common Vulnerabilities and Exposures database. Details: Sudo supports an optional setting to prevent the command being executed from executing further commands. ...
Arbitrary file access via TZ environment variable
Prior to sudo 1.8.12, the TZ environment variable was passed through unchecked. Most libc tzset() implementations support passing an absolute pathname in the time zone to point to an arbitrary, user-controlled file. This may be used to exploit bugs in the C library’s TZ parser or open files the user would not otherwise have access to. Arbitrary file access via TZ could also be used in a denial of service attack by reading from a file or fifo that will block. ...
Security policy bypass when env_reset is disabled
If the env_reset option is disabled in the sudoers file, a malicious user with sudo permissions may be able to run arbitrary commands with elevated privileges by manipulating the environment of a command the user is legitimately allowed to run. Sudo versions affected: Sudo 1.6.9 through 1.8.4p5 inclusive. Sudo 1.8.5 and higher are not affected. CVE ID: This vulnerability has been assigned CVE-2014-0106 in the Common Vulnerabilities and Exposures database. ...
Authentication bypass when clock is reset
When a user successfully authenticates with sudo, a time stamp file is updated to allow that user to continue running sudo without requiring a password for a preset time period (five minutes by default). The user’s time stamp file can be reset using sudo -k or removed altogether via sudo -K. A user who has sudo access and is able to control the local clock (common in desktop environments) can run a command via sudo without authenticating as long as they have previously authenticated themselves at least once by running sudo -k and then setting the clock to the epoch (1970-01-01 01:00:00). ...