Bugtraq mailing list archives
Re: hole in sudo for MP-RAS.
From: dsiebert () ICAEN UIOWA EDU (dsiebert () ICAEN UIOWA EDU)
Date: Mon, 12 Jan 1998 22:02:53 -0600
I've been able to reproduce the exploit using cu-sudo 1.5.3 under DEC UNIX 4.0B and FreeBSD 2.2.5. After looking at the code the bug can be exploited on any platform. Here is a patch to fix the problem, assuming your operating system of choice supports realpath(3). *BSD, Linux, Solaris, SunOS, DEC UNIX, AIX, and DG/UX should have no problem with this patch.
Seems to me that fixing the "exclude" stuff in sudo is a bit harder than just verifying the path is on the exclude list. Any exclude list should default automaticaly to only letting you run stuff owned by root (or bin, or whatever owns your system binaries) Otherwise a user can just make a copy of (or compile) something banned. Though realistically, I don't see how you could make an exclude list complete enough to avoid letting a user run a shell, at which point the user can do anything anyway. -- Douglas Siebert Director of Computing Facilities douglas-siebert () uiowa edu Division of Mathematical Sciences, U of Iowa If you let the system beat you long enough, eventually it'll get tired.
Current thread:
- Buffer overflows in Deliver: get 2.1.13, (continued)
- Buffer overflows in Deliver: get 2.1.13 Chip Salzenberg (Jan 12)
- [SIGNED] Buffer overflows in Deliver: get 2.1.13 Chip Salzenberg (Jan 12)
- KSR[T] Advisory #6: deliver KSR[T] (Jan 12)
- Re: KSR[T] Advisory #6: deliver Chip Salzenberg (Jan 12)
- hole in sudo for MP-RAS. osiris () COURIER CB LUCENT COM (Jan 12)
- Re: hole in sudo for MP-RAS. Cy Schubert - ITSD Open Systems Group (Jan 12)
- Re: hole in sudo for MP-RAS. Todd C. Miller (Jan 12)
- Re: hole in sudo for MP-RAS. Cy Schubert - ITSD Open Systems Group (Jan 12)
- Re: hole in sudo for MP-RAS. Todd C. Miller (Jan 12)
- Re: hole in sudo for MP-RAS. Todd C. Miller (Jan 13)
- Re: hole in sudo for MP-RAS. dsiebert () ICAEN UIOWA EDU (Jan 12)
- Re: hole in sudo for MP-RAS. Todd C. Miller (Jan 12)
- Buffer overflows in Deliver: get 2.1.13 Chip Salzenberg (Jan 12)
- CPSN 9:971208: Solaris /var Permission Problems CPIO Advisory Role Account (Jan 12)