Vigil@nce: sudo, bypassing secure path
June 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
When sudo calls some programs, a local attacker can bypass the
"secure path" feature, in order to elevate his privileges.
– Severity: 2/4
– Creation date: 03/06/2010
DESCRIPTION OF THE VULNERABILITY
The sudo program calls another program with specific privileges.
The "secure path" feature of sudo indicates to modify the PATH
variable before calling the other program. This feature is enabled:
– either when sudo is compiled: —with-secure-path=/bin:/usr/bin:/usr/local/bin
– either in the /etc/sudoers file: Defaults
secure_path="/bin:/usr/bin:/usr/local/bin"
A process can define an environment containing several times the
same variable:
– PATH=value1
– PATH=value2
In this case:
– the glibc getenv() function retrieves the first value
– a bash shell retrieves the second value
– other implementations retrieve either the first or the second
value
However, the "secure path" feature of sudo only modify/secure the
first value. An attacker can therefore define a malicious second
value, and then call sudo to launch a shell script. This shell
script will then use programs with the same name, but located in a
directory indicated by the second PATH of the attacker.
When sudo calls some programs, a local attacker can therefore
bypass the "secure path" feature, in order to elevate his
privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/sudo-bypassing-secure-path-9682