A flaw exists in sudo’s noexec functionality that may allow
a user with sudo privileges to run additional commands even when
NOEXEC tag has been applied to a command that uses the
1.6.8 through 1.8.18 inclusive.
Sudo supports an optional setting to prevent the command being
executed from executing further commands. On most platforms this
is implemented as a dynamic shared object file that is loaded by
the dynamic loader when sudo sets the
variable to the fully-qualified path of
sudo_noexec.so file prevents the execution of further
commands by replacing the functions that would otherwise execute a
new command with versions that always return an error.
Versions of sudo prior to 1.8.18p1 did not replace the wordexp()
function which may be used to run commands when the
flag is not specified.
Exploitation of the bug requires that the sudoers file be configured
such that either the noexec Defaults setting is enabled
NOEXEC tag is applied to a command that calls the
wordexp() function without specifying the
Successful exploitation of the bug will allow a user to additional
commands even when the
NOEXEC tag is specified for a command
or the noexec Defaults setting is in effect.
The bug was fixed in sudo 1.8.18p1. When noexec is enabled,
sudo now wraps the wordexp() function and always adds the
WRDE_NOCMD flag before calling the C library version of
the function. Additionally, on Linux systems that support seccomp
filters, access to the execve() system call has been disabled
This problem was reported by Florian Weimer who also suggested using a seccomp filter on Linux.