Release Date:
October 27, 2005
Summary:
A flaw in exists in sudo's environment sanitizing prior to sudo
version 1.6.8p10 that could allow a malicious user with permission
to run a shell script that utilized the bash shell to run arbitrary
commands. The /bin/sh shell on most (if not all) Linux and Mac OS
X systems is bash.
Sudo versions affected:
All versions prior to 1.6.8p10.
CVE ID:
This vulnerability has been assigned
CVE-2004-1051
in the
Common
Vulnerabilities and Exposures database.
Details:
The bash shell uses the value of the PS4 environment variable (after
expansion) as a prefix for commands run in execution trace mode.
Execution trace mode (xtrace) is normally set via bash's -x command
line option or interactively by running "set -o xtrace". However,
it may also be enabled by placing the string "xtrace" in the SHELLOPTS
environment variable before bash is started.
A malicious user with sudo access to a shell script that uses bash
can use this feature to run arbitrary commands for each line
of the script.
Impact:
Exploitation of the bug requires that the bash shell be installed
on the machine and that users be granted sudo access to run scripts
written in bash. On most (if not all) Linux and Mac OS X systems,
/bin/sh is bash so /bin/sh scripts are affected by this as well.
Fix:
The bug is fixed in sudo 1.6.8p10.
Workaround:
The administrator can add a line at the top of the sudoers file:
Defaults env_delete+="PS4 SHELLOPTS"
which will cause sudo to strip the PS4 and SHELLOPTS environment
variables without requiring a recompile.
Alternately, the administrator can add a line to the top of sudoers file:
Defaults env_reset
which will reset the environment to only contain the variables
HOME, LOGNAME, PATH, SHELL, TERM, and USER, also preventing this attack.
Credit:
This problem was found by Tavis Ormandy.