Vigil@nce - sudo : file reading via TZ
février 2015 par Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local privileged attacker can set the TZ environment variable
before calling sudo, in order to force the opening of a file, or a
denial of service if this file is blocking.
Impacted products : Unix (platform)
Severity : 1/4
Creation date : 10/02/2015
DESCRIPTION OF THE VULNERABILITY
The sudo program allows some users to execute commands with
elevated privileges.
The sudo program filters environment variables which are
potentially dangerous. However, sudo transmits the TZ variable,
which can indicate the name of a Time Zone file. The target
application, linked to the glibc, thus opens this file to analyze
its timing information. It can be noted that the content of this
file is never returned to the user.
A local privileged attacker can therefore set the TZ environment
variable before calling sudo, in order to force the opening of a
file, or a denial of service if this file is blocking.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/sudo-file-reading-via-TZ-16137