A flaw in exists in sudo’s environment sanitizing prior to sudo version 1.6.8p2 that could allow a malicious user with permission to run a shell script that utilized the bash shell to run arbitrary commands. The /bin/sh shell on most (if not all) Linux systems is bash.
All versions prior to 1.6.8p2.
When it starts up, bash searches the environment for variables with a value beginning with “()”. For each environment variables that matches, a function with the same name as the corresponding variable is created (with the function body filled in from the environment variable’s value).
A malicious user with sudo access to a shell script that uses bash can use this feature to substitute arbitrary commands for any non-fully qualified programs called from the script.
Exploitation of the bug requires that the bash shell be installed on the machine and that users be granted sudo access to run scripts written in bash. On most (if not all) Linux systems, /bin/sh is bash so /bin/sh scripts are affected by this as well.
The bug is fixed in sudo 1.6.8p2.
The administrator can add a line to the sudoers file:
that will reset the environment to only contain the variables
USER, preventing this attack.
This problem was brought to my attention by Liam Helmer.