April 9, 2010
A flaw exists in sudo's -e option (aka sudoedit) in sudo versions
1.6.8 through 1.7.2p5 that may give a user with permission to run
sudoedit the ability to run arbitrary commands. This bug is related
to, but distinct from, CVE-2010-0426
Sudo versions affected:
1.6.8 through 1.7.2p5 inclusive.
This vulnerability has been assigned CVE-2010-1163
in the Common Vulnerabilities and
When sudo performs its command matching, there is a special case
for pseudo-commands in the sudoers file (currently, the only
pseudo-command is sudoedit). Unlike a regular command, pseudo-commands
do not contain a path component.
Sudo's command matching routine expects actual commands to include
one or more slash ('/') characters. The flaw is that sudo's path
resolution code did not add a "./" prefix to commands found in the
current working directory. This creates an ambiguity between a
sudoedit command found in the cwd and the sudoedit
pseudo-command in the sudoers file. As a result, a user may be
able to run an arbitrary command named sudoedit in the current
working directory. For the attack to be successful, the PATH
environment variable must include "." and may not include any other
directory that contains a sudoedit command.
Exploitation of the bug requires that the sudoers file be configured
to allow the attacker to run sudoedit. If no users have been granted
access to sudoedit there is no impact. Additionally, if either the
sudoers options are enabled the
attack will fail.
Successful exploitation of the bug will allow a user to run arbitrary
commands for whichever user they have permission to run sudoedit
as, typically root.
sudoers option can be enabled which will prevent the problem.
The bug is fixed in sudo 1.7.2p6 and 1.6.9p22
Thanks to Valerio Costamagna for finding the bug and Agazzini
Maurizio for alerting me to the problem.
The other sudoedit escalation bug