Vigil@nce: sudo, privilege elevation via sudoedit
April 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker, allowed to execute sudoedit, can execute
commands with root privileges.
– Severity: 2/4
– Creation date: 15/04/2010
DESCRIPTION OF THE VULNERABILITY
The sudo program is used to allow users to execute some commands
with privileges of other users. For example, to allow the edition
of a file with root privileges:
user ALL = sudoedit filename
The sudoedit command does not have a full path (/bin/sudoedit),
because it is a pseudo-command, which is interpreted especially.
However, if a program is named sudoedit, this rule is also
applied, in the following case:
– the program is located in the current directory
– the PATH variable contains ".", to search first in the current
directory
– the ignore_dot directive is not enabled
– the secure_path directive is not enabled
The sudoedit program located in the current directory is thus run
with root privileges.
A local attacker, allowed to execute sudoedit, can therefore
execute commands with root privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/sudo-privilege-elevation-via-sudoedit-9592