I checked this on my RedHat Linux 9 box running sudo v 1.6.6. It didn't effect it any... On 5/31/05, Marcus Meissner <meissner@xxxxxxx> wrote: > On Tue, May 31, 2005 at 01:02:22PM +0700, Xnuxer Security wrote: > > Today, 31 May 2005, I found error with root privilige escalation in > > Sudo version 1.6.8p7 that package installed with SuSE 9.3. Testing in > > my machine, sudo appear not check is true when I press CTRL + C with > > blank password and giving status SID as root privilige to SID user. I > > got successful as root without need a password but only use blank > > password and press CTRL + C. Please check my testing below in my SuSE > > 9.3 box: > > > > client@mysuse:~> cat /etc/issue > > > > Welcome to SuSE Linux 9.3 (i586) - Kernel \r (\l). > > > > > > client@mysuse:~> id > > uid=1000(client) gid=100(users) groups=16(dialout),33(video),100(users) > > client@mysuse:~> uname -a > > Linux mysuse 2.6.11.4-20a-default #1 Wed Mar 23 21:52:37 UTC 2005 i686 > > i686 i386 GNU/Linux > > client@mysuse:~> sudo -V > > Sudo version 1.6.8p7 > > client@mysuse:~> sudo su > > Password: <---- fake password and press ENTER > > Sorry, try again. > > Password: <---- blank password and press CTRL + C > > mysuse:/home/client # > > mysuse:/home/client # uname -a; id; uptime > > Linux mysuse 2.6.11.4-20a-default #1 Wed Mar 23 21:52:37 UTC 2005 i686 > > i686 i386 GNU/Linux > > uid=0(root) gid=0(root) groups=0(root) > > 12:29pm up 2:45, 3 users, load average: 0.14, 0.29, 0.45 > > mysuse:/home/client # > > > > Other sudo version is not check yet, about affect in other distro of > > linux not check too but possible vulnerable, please check it. SuSE > > Security still contacted by me. > > I cannot reproduce this in the default installation of sudo in SUSE Linux > 9.3. > > Did you adapt the sudo config file in some way? > > What exactly do you mean with "blank password" ? Empty? Or a number > of spaces? > > Ciao, Marcus > > >
