A flaw exists in sudo’s -e option (aka sudoedit) in sudo versions 1.6.8 through 1.7.2p5 that may give a user with permission to run sudoedit the ability to run arbitrary commands. This bug is related to, but distinct from, CVE-2010-0426.
1.6.8 through 1.7.2p5 inclusive.
When sudo performs its command matching, there is a special case for pseudo-commands in the sudoers file (currently, the only pseudo-command is sudoedit). Unlike a regular command, pseudo-commands do not contain a path component.
Sudo’s command matching routine expects actual commands to include
one or more slash (’/’) characters. The flaw is that sudo’s path
resolution code did not add a “./” prefix to commands found in the
current working directory. This creates an ambiguity between a
sudoedit command found in the cwd and the
pseudo-command in the sudoers file. As a result, a user may be
able to run an arbitrary command named
sudoedit in the current
working directory. For the attack to be successful, the PATH
environment variable must include “.” and may not include any other
directory that contains a
Exploitation of the bug requires that the sudoers file be configured
to allow the attacker to run sudoedit. If no users have been granted
access to sudoedit there is no impact. Additionally, if either the
secure_path sudoers options are enabled the
attack will fail.
Successful exploitation of the bug will allow a user to run arbitrary commands for whichever user they have permission to run sudoedit as, typically root.
ignore_dot sudoers option can be enabled which will prevent the problem.
The bug is fixed in sudo 1.7.2p6 and 1.6.9p22
Thanks to Valerio Costamagna for finding the bug and Agazzini Maurizio for alerting me to the problem.