exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

sudo168-9.txt

sudo168-9.txt
Posted Jun 21, 2005
Site sudo.ws

A race condition exists in Sudo's command pathname handling prior to Sudo version 1.6.8p9 that could allow a user with Sudo privileges to run arbitrary commands.

tags | advisory, arbitrary
SHA-256 | a70767bc3df652f28565e7a7ef5f5857dd8f651bee8d0dcfe89f265f2852c080

sudo168-9.txt

Change Mirror Download
Sudo version 1.6.8, patchlevel 9 is now available, which fixes a
race condition in Sudo's pathname validation. This is a security
issue.

Summary:
A race condition in Sudo's command pathname handling prior to
Sudo version 1.6.8p9 that could allow a user with Sudo privileges
to run arbitrary commands.

Sudo versions affected:
Sudo versions 1.3.1 up to and including 1.6.8p8.

Details:
When a user runs a command via Sudo, the inode and device numbers
of the command are compared to those of commands with the same
basename found in the sudoers file (see the Background paragraph
for more information). When a match is found, the path to the
matching command listed in the sudoers file is stored in the
variable safe_cmnd, which is later used to execute the command.
Because the actual path executed comes from the sudoers file
and not directly from the user, Sudo should be safe from race
conditions involving symbolic links. However, if a sudoers
entry containing the pseudo-command ALL follows the user's
sudoers entry the contents of safe_cmnd will be overwritten
with the path the user specified on the command line, making
Sudo vulnerable to the aforementioned race condition.

Impact:
Exploitation of the bug requires that the user be allowed to
run one or more commands via Sudo and be able to create symbolic
links in the filesystem. Furthermore, a sudoers entry giving
another user access to the ALL pseudo-command must follow the
user's sudoers entry for the race to exist.

For example, the following sudoers file is not affected by the
bug:

root server=ALL
someuser server=/bin/echo

Whereas this one would be:

someuser server=/bin/echo
root server=ALL

Fix:
The bug is fixed in sudo 1.6.8p9.

Workaround:
The administrator can order the sudoers file such that all
entries granting Sudo ALL privileges precede all other entries.

Credit:
This problem was brought to my attention by Charles Morris.

Background:
The reason Sudo uses the inode for command matching is to make
relative paths work and to avoid problems caused by automounters
where the path to be executed is not the same as the absolute
path to the command.

Another possible approach is to use the realpath() function to
find the true path. Sudo does not user realpath() because that
function is not present in all operating systems and is often
vulnerable to race conditions where it does exist.

The next major Sudo release will be version 1.7. For information
on what to expect in sudo 1.7, see http://www.sudo.ws/sudo/future.html
You can help speed the release of Sudo 1.7 by purchasing a support
contract or making a donation (see below).

Commercial support is available for Sudo. If your organization
uses Sudo, please consider purchasing a support contract to help
fund future Sudo development at http://www.sudo.ws/support.html
Custom enhancements to Sudo may also be contracted.

You can also help out by making a donation or "purchase" a copy
of Sudo at http://www.sudo.ws/purchase.html

Master Web Site:
http://www.sudo.ws/sudo/

Web Site Mirrors:
http://www.mirrormonster.com/sudo/ (Fremont, California, USA)
http://sudo.stikman.com/ (Los Angeles, California, USA)
http://sudo.tolix.org/ (California, USA)
http://mirage.informationwave.net/sudo/ (Fanwood, New Jersey, USA)
http://www.mrv2k.net/sudo/ (Bend, Oregon, USA)
http://sudo.rtin.bz/ (Philadelphia, Pennsylvania, USA)
http://www.signal42.com/mirrors/sudo_www/ (USA)
http://sudo.xmundo.net/ (Argentina)
http://sudo.planetmirror.com/ (Australia)
http://mirror.mons-new-media.de/sudo/ (Germany)
http://sunshine.lv/sudo/ (Latvia)
http://rexem.uni.cc/sudo/ (Kaunas, Lithuania)
http://sudo.cdu.elektra.ru/ (Russia)
http://sudo.nctu.edu.tw/ (Taiwan)

FTP Mirrors:
ftp://plier.ucar.edu/pub/sudo/ (Boulder, Colorado, USA)
ftp://ftp.cs.colorado.edu/pub/sudo/ (Boulder, Colorado, USA)
ftp://obsd.isc.org/pub/sudo/ (Redwood City, California, USA)
ftp://ftp.stikman.com/pub/sudo/ (Los Angeles, California, USA)
ftp://ftp.tux.org/pub/security/sudo/ (Beltsville, Maryland, USA)
ftp://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/sudo/ (West Lafayette, Indiana, USA)
ftp://ftp.uwsg.indiana.edu/pub/security/sudo/ (Bloomington, Indiana, USA)
ftp://ftp.rge.com/pub/admin/sudo/ (Rochester, New York, USA)
ftp://mirror.sg.depaul.edu/pub/security/sudo/ (Chicago, Illinois, USA)
ftp://sudo.xmundo.net/pub/mirrors/sudo/ (Argentina)
ftp://ftp.wiretapped.net/pub/security/host-security/sudo/ (Australia)
ftp://ftp.tuwien.ac.at/utils/admin-tools/sudo/ (Austria)
ftp://sunsite.ualberta.ca/pub/Mirror/sudo/ (Alberta, Canada)
ftp://ftp.csc.cuhk.edu.hk/pub/packages/unix-tools/sudo/ (Hong Kong, China)
ftp://ftp.eunet.cz/pub/security/sudo/ (Czechoslovakia)
ftp://ftp.ujf-grenoble.fr/sudo/ (France)
ftp://netmirror.org/ftp.sudo.ws/ (Frankfurt, Germany)
ftp://ftp.win.ne.jp/pub/misc/sudo/ (Japan)
ftp://ftp.st.ryukoku.ac.jp/pub/security/tool/sudo/ (Japan)
ftp://ftp.cin.nihon-u.ac.jp/pub/misc/sudo/ (Japan)
ftp://core.ring.gr.jp/pub/misc/sudo/ (Japan)
ftp://ftp.ring.gr.jp/pub/misc/sudo/ (Japan)
ftp://ftp.tpnet.pl/d6/ftp.sudo.ws/ (Poland)
ftp://ftp.cdu.elektra.ru/pub/unix/security/sudo/ (Russia)
ftp://ftp.nsysu.edu.tw/Unix/Security/Sudo/ (Taiwan)

HTTP Mirrors:
http://www.mirrormonster.com/sudo/dist/ (Fremont, California, USA)
http://sudo.tolix.org/ftp/ (California, USA)
http://sudo.mirror99.com/ (San Jose, California, USA)
http://www.signal42.com/mirrors/sudo_ftp/ (California, USA)
http://www.rge.com/pub/admin/sudo/ (Rochester, New York, USA)
http://probsd.org/sudoftp/ (East Coast, USA)
http://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/sudo/ (West Lafayette, Indiana, USA)
http://www.signal42.com/mirrors/sudo_ftp/ (California, USA)
http://netmirror.org/mirror/ftp.sudo.ws/ (Frankfurt, Germany)
http://mirror.mons-new-media.de/sudo_ftp/ (Frankfurt, Germany)
http://core.ring.gr.jp/archives/misc/sudo/ (Japan)
http://www.ring.gr.jp/archives/misc/sudo/ (Japan)
http://ftp.tpnet.pl/vol/d6/ftp.sudo.ws/ (Poland)
http://sudo.tsuren.net/dist/ (Moscow, Russian Federation)
http://ftp.nsysu.edu.tw/Unix/Security/Sudo/ (Taiwan)
Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    17 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close