Release Date:
April 9, 2010
Summary:
A flaw exists in sudo's -e option (aka sudoedit) in sudo versions
1.6.8 through 1.7.2p5 that may give a user with permission to run
sudoedit the ability to run arbitrary commands. This bug is related
to, but distinct from,
CVE-2010-0426.
Sudo versions affected:
1.6.8 through 1.7.2p5 inclusive.
CVE ID:
This vulnerability has been assigned
CVE-2010-1163
in the
Common
Vulnerabilities and Exposures database.
Details:
When sudo performs its command matching, there is a special case
for pseudo-commands in the sudoers file (currently, the only
pseudo-command is sudoedit). Unlike a regular command, pseudo-commands
do not contain a path component.
Sudo's command matching routine expects actual commands to include
one or more slash ('/') characters. The flaw is that sudo's path
resolution code did not add a "./" prefix to commands found in the
current working directory. This creates an ambiguity between a
sudoedit command found in the cwd and the sudoedit
pseudo-command in the sudoers file. As a result, a user may be
able to run an arbitrary command named sudoedit in the current
working directory. For the attack to be successful, the PATH
environment variable must include "." and may not include any other
directory that contains a sudoedit command.
Impact:
Exploitation of the bug requires that the sudoers file be configured
to allow the attacker to run sudoedit. If no users have been granted
access to sudoedit there is no impact. Additionally, if either the
ignore_dot or
secure_path sudoers options are enabled the
attack will fail.
Successful exploitation of the bug will allow a user to run arbitrary
commands for whichever user they have permission to run sudoedit
as, typically root.
Workaround:
The
ignore_dot sudoers option can be enabled which will prevent the problem.
For example:
Defaults ignore_dot
Fix:
The bug is fixed in sudo 1.7.2p6 and 1.6.9p22
Credit:
Thanks to Valerio Costamagna for finding the bug and Agazzini
Maurizio for alerting me to the problem.
See Also:
The other sudoedit escalation bug.