Potential bypass of sudo_noexec.so on Linux
A flaw exists in sudo’s noexec functionality that may allow
a user with sudo privileges to run additional commands even when
the NOEXEC
tag has been applied to a command that uses
either the system()
or popen()
functions.
1.6.8 through 1.8.14p3 inclusive.
This vulnerability has been assigned CVE-2016-7032 in the Common Vulnerabilities and Exposures database.
Sudo supports an optional setting to prevent the command being
executed from executing further commands. On most platforms this
is implemented as a dynamic shared object file that is loaded by
the dynamic loader when sudo sets the LD_PRELOAD
environment
variable to the fully-qualified path of sudo_noexec.so
.
The sudo_noexec.so
file prevents the execution of further
commands by replacing functions that would otherwise execute a
new command with versions that always return an error.
Versions of sudo prior to 1.8.15 relied on replacing the exec() family of functions which are used by higher level functions such as system() and popen() to run commands. However, some systems, notably Linux with the GNU C library, use internal (private) symbol names when calling functions (and system calls) defined within the C library itself. This means that, for instance, the system() function calls an internal symbol instead of the globally-visible execve() symbol. As a result, it is not possible for sudo_noexec.so to prevent commands from being executed by system() or popen() by replacing execve().
Both system() and popen() invoke the shell, /bin/sh
, when
executing commands. Unlike the C library, the shell uses the
globally-visible execve() symbol when executing a command. This
means that while the shell itself can be executed, it is unable to
run external commands. However, it is still possible to use shell
built-in commands and I/O redirection. As such, it may be possible
for a malicious user to modify system files, potentially including
the sudoers file itself.
Exploitation of the bug requires that the sudoers file be configured
such that either the noexec Defaults setting is enabled
or the NOEXEC
tag is applied to commands a malicious user
could run.
Successful exploitation of the bug will allow a user to run shell
built-in command or modify the file system using I/O redirection
even when the NOEXEC
tag is specified for a command or
the noexec Defaults setting is in effect.
The bug was fixed in sudo 1.8.15 which wraps the system() and popen() functions directly.
The ability to bypass noexec using shell built-in commands and I/O redirection was reported by Florian Weimer.