Release Date:
October 26, 2016
Summary:
A flaw exists in sudo's
noexec functionality that may allow
a user with sudo privileges to run additional commands even when
the
NOEXEC tag has been applied to a command that uses
either the system() or popen() functions.
Sudo versions affected:
1.6.8 through 1.8.14p3 inclusive.
CVE ID:
This vulnerability has been assigned
CVE-2016-7032
in the
Common
Vulnerabilities and Exposures database.
Details:
Sudo supports an optional setting to prevent the command being
executed from executing further commands. On most platforms this
is implemented as a dynamic shared object file that is loaded by
the dynamic loader when sudo sets the
LD_PRELOAD environment
variable to the fully-qualified path of
sudo_noexec.so.
The
sudo_noexec.so file prevents the execution of further
commands by replacing functions that would otherwise execute a
new command with versions that always return an error.
Versions of sudo prior to 1.8.15 relied on replacing the exec()
family of functions which are used by higher level functions such
as system() and popen() to run commands. However, some systems, notably
Linux with the GNU C library, use internal (private) symbol names
when calling functions (and system calls) defined within the C
library itself. This means that, for instance, the system() function
calls an internal symbol instead of the globally-visible execve()
symbol. As a result, it is not possible for sudo_noexec.so to
prevent commands from being executed by system() or popen() by
replacing execve().
Both system() and popen() invoke the shell, /bin/sh, when
executing commands. Unlike the C library, the shell uses the
globally-visible execve() symbol when executing a command. This
means that while the shell itself can be executed, it is unable to
run external commands. However, it is still possible to use shell
built-in commands and I/O redirection. As such, it may be possible
for a malicious user to modify system files, potentially including
the sudoers file itself.
Impact:
Exploitation of the bug requires that the sudoers file be configured
such that either the
noexec Defaults setting is enabled
or the
NOEXEC tag is applied to commands a malicious user
could run.
Successful exploitation of the bug will allow a user to run shell
built-in command or modify the file system using I/O redirection
even when the NOEXEC tag is specified for a command or
the noexec Defaults setting is in effect.
Fix:
The bug was fixed in sudo 1.8.15 which wraps the system() and popen()
functions directly.
Credit:
The ability to bypass
noexec using shell built-in commands
and I/O redirection was reported by Florian Weimer.