Additional privilege escalation bug with sudoedit
A flaw exists in sudo’s -e option (aka sudoedit) in sudo versions 1.6.8 through 1.7.2p5 that may give a user with permission to run sudoedit the ability to run arbitrary commands. This bug is related to, but distinct from, CVE-2010-0426.
1.6.8 through 1.7.2p5 inclusive.
This vulnerability has been assigned CVE-2010-1163 in the Common Vulnerabilities and Exposures database.
When sudo performs its command matching, there is a special case for pseudo-commands in the sudoers file (currently, the only pseudo-command is sudoedit). Unlike a regular command, pseudo-commands do not contain a path component.
Sudo’s command matching routine expects actual commands to include
one or more slash (’/’) characters. The flaw is that sudo’s path
resolution code did not add a “./” prefix to commands found in the
current working directory. This creates an ambiguity between a
sudoedit command found in the cwd and the sudoedit
pseudo-command in the sudoers file. As a result, a user may be
able to run an arbitrary command named sudoedit in the current
working directory. For the attack to be successful, the PATH
environment variable must include “.” and may not include any other
directory that contains a sudoedit command.
Exploitation of the bug requires that the sudoers file be configured
to allow the attacker to run sudoedit. If no users have been granted
access to sudoedit there is no impact. Additionally, if either the
ignore_dot or secure_path sudoers options are enabled the
attack will fail.
Successful exploitation of the bug will allow a user to run arbitrary commands for whichever user they have permission to run sudoedit as, typically root.
The ignore_dot sudoers option can be enabled which will prevent the problem.
For example:
Defaults ignore_dot
The bug is fixed in sudo 1.7.2p6 and 1.6.9p22
Thanks to Valerio Costamagna for finding the bug and Agazzini Maurizio for alerting me to the problem.