VuXML ID | Description |
6193b3f6-548c-11eb-ba01-206a8a720317 | sudo -- Potential information leak in sudoedit
Todd C. Miller reports:
A potential information leak in sudoedit that could be used to
test for the existence of directories not normally accessible to
the user in certain circumstances. When creating a new file,
sudoedit checks to make sure the parent directory of the new file
exists before running the editor. However, a race condition exists
if the invoking user can replace (or create) the parent directory.
If a symbolic link is created in place of the parent directory,
sudoedit will run the editor as long as the target of the link
exists.If the target of the link does not exist, an error message
will be displayed. The race condition can be used to test for the
existence of an arbitrary directory. However, it _cannot_ be used
to write to an arbitrary location.
Discovery 2021-01-11 Entry 2021-01-11 sudo
< 1.9.5
https://www.sudo.ws/stable.html#1.9.5
CVE-2021-23239
|
1b725079-9ef6-11da-b410-000e0c2e438a | sudo -- arbitrary command execution
Tavis Ormandy reports:
The bash shell uses the value of the PS4 environment
variable (after expansion) as a prefix for commands run
in execution trace mode. Execution trace mode (xtrace) is
normally set via bash's -x command line option or
interactively by running "set -o xtrace". However, it may
also be enabled by placing the string "xtrace" in the
SHELLOPTS environment variable before bash is started.
A malicious user with sudo access to a shell script that
uses bash can use this feature to run arbitrary commands
for each line of the script.
Discovery 2005-10-25 Entry 2006-02-16 sudo
< 1.6.8.10
15191
CVE-2005-2959
http://www.courtesan.com/sudo/alerts/bash_env.html
|
018a84d0-2548-11df-b4a3-00e0815b8da8 | sudo -- Privilege escalation with sudoedit
Todd Miller reports:
When sudo performs its command matching, there is a special case
for pseudo-commands in the sudoers file (currently, the only
pseudo-command is sudoedit). Unlike a regular command,
pseudo-commands do not begin with a slash ('/'). The flaw is that
sudo's the matching code would only check against the list of
pseudo-commands if the user-specified command also contained no
slashes. As a result, if the user ran "sudo ./sudoedit" the normal
matching code path was followed, which uses stat(2) to verify that
the user-specified command matches the one in sudoers. In this
case, it would compare the "./sudoedit" specified by the user with
"sudoedit" from the sudoers file, resulting in a positive
match.
Discovery 2010-01-29 Entry 2010-03-01 sudo
< 1.7.2.4
http://www.sudo.ws/pipermail/sudo-announce/2010-February/000092.html
http://www.sudo.ws/sudo/alerts/sudoedit_escalate.html
http://secunia.com/advisories/38659
CVE-2010-0426
38362
|
82cfd919-8213-11e2-9273-902b343deec9 | sudo -- Potential bypass of tty_tickets constraints
Todd Miller reports:
A (potentially malicious) program run by a user with sudo access
may be able to bypass the "tty_ticket" constraints. In order for
this to succeed there must exist on the machine a terminal device
that the user has previously authenticated themselves on via sudo
within the last time stamp timeout (5 minutes by default).
Discovery 2013-02-27 Entry 2013-03-01 sudo
< 1.8.6.p7
CVE-2013-1776
http://www.sudo.ws/sudo/alerts/tty_tickets.html
|
1a9f678d-48ca-11df-85f8-000c29a67389 | sudo -- Privilege escalation with sudoedit
Todd Miller reports:
Sudo's command matching routine expects actual commands to include
one or more slash ('/') characters. The flaw is that sudo's path
resolution code did not add a "./" prefix to commands found in the
current working directory. This creates an ambiguity between a
"sudoedit" command found in the cwd and the "sudoedit"
pseudo-command in the sudoers file. As a result, a user may be
able to run an arbitrary command named "sudoedit" in the current
working directory. For the attack to be successful, the PATH
environment variable must include "." and may not include any other
directory that contains a "sudoedit" command.
Discovery 2010-04-09 Entry 2010-04-15 sudo
< 1.7.2.6
CVE-2010-1163
http://www.sudo.ws/pipermail/sudo-announce/2010-April/000093.html
http://www.sudo.ws/sudo/alerts/sudoedit_escalate2.html
|
d42e5b66-6ea0-11df-9c8d-00e0815b8da8 | sudo -- Secure path vulnerability
Todd Miller reports:
Most versions of the C library function getenv() return the
first instance of an environment variable to the caller. However,
some programs, notably the GNU Bourne Again SHell (bash), do
their own environment parsing and may choose the last instance
of a variable rather than the first one.
An attacker may manipulate the environment of the process that
executes Sudo such that a second PATH variable is present. When
Sudo runs a bash script, it is this second PATH variable that
is used by bash, regardless of whether or not Sudo has overwritten
the first instance of PATH. This may allow an attacker to
subvert the program being run under Sudo and execute commands
he/she would not otherwise be allowed to run.
Discovery 2010-06-02 Entry 2010-06-02 sudo
< 1.7.2.7
CVE-2010-1646
http://sudo.ws/sudo/alerts/secure_path.html
|
764344fb-8214-11e2-9273-902b343deec9 | sudo -- Authentication bypass when clock is reset
Todd Miller reports:
The flaw may allow someone with physical access to a machine that
is not password-protected to run sudo commands without knowing the
logged in user's password. On systems where sudo is the principal
way of running commands as root, such as on Ubuntu and Mac OS X,
there is a greater chance that the logged in user has run sudo
before and thus that an attack would succeed.
Discovery 2013-02-27 Entry 2013-03-01 sudo
< 1.8.6.p7
CVE-2013-1775
http://www.sudo.ws/sudo/alerts/epoch_ticket.html
|
b3435b68-9ee8-11e1-997c-002354ed89bc | sudo -- netmask vulnerability
Todd Miller reports:
Sudo supports granting access to commands on a per-host basis.
The host specification may be in the form of a host name, a
netgroup, an IP address, or an IP network (an IP address with an
associated netmask).
When IPv6 support was added to sudo, a bug was introduced that
caused the IPv6 network matching code to be called when an IPv4
network address does not match. Depending on the value of the
uninitialized portion of the IPv6 address, it is possible for the
IPv4 network number to match when it should not. This bug only
affects IP network matching and does not affect simple IP address
matching.
The reported configuration that exhibited the bug was an
LDAP-based sudo installation where the sudoRole object contained
multiple sudoHost entries, each containing a different IPv4
network. File-based sudoers should be affected as well as the
same matching code is used.
Discovery 2012-05-16 Entry 2012-05-16 sudo
le 1.8.4_1
CVE-2012-2337
http://www.sudo.ws/sudo/alerts/netmask.html
|
3a1474ba-f646-11e9-b0af-b888e347c638 | sudo -- Potential bypass of Runas user restrictions
Todd C. Miller reports:
When sudo is configured to allow a user to run commands as an
arbitrary user via the ALL keyword in a Runas specification, it
is possible to run commands as root by specifying the user ID -1
or 4294967295.
This can be used by a user with sufficient sudo privileges to
run commands as root even if the Runas specification explicitly
disallows root access as long as the ALL keyword is listed first
in the Runas specification.
Log entries for commands run this way will list the target user
as 4294967295 instead of root. In addition, PAM session modules
will not be run for the command.
Discovery 2019-10-15 Entry 2019-10-24 sudo
< 1.8.28
https://www.sudo.ws/alerts/minus_1_uid.html
CVE-2019-14287
|
bdd1537b-354c-11d9-a9e7-0001020eed82 | sudo -- privilege escalation with bash scripts
A Sudo Security Alerts reports:
A flaw in exists in sudo's environment sanitizing prior
to sudo version 1.6.8p2 that could allow a malicious user
with permission to run a shell script that utilized the
bash shell to run arbitrary commands.
Discovery 2004-11-11 Entry 2004-11-13 sudo
< 1.6.8.2
http://www.courtesan.com/sudo/alerts/bash_functions.html
|
f3cf4b33-6013-11eb-9a0e-206a8a720317 | sudo -- Multiple vulnerabilities
Todd C. Miller reports:
When invoked as sudoedit, the same set of command line options
are now accepted as for sudo -e. The -H and -P options are now
rejected for sudoedit and sudo -e which matches the sudo 1.7
behavior. This is part of the fix for CVE-2021-3156.
Fixed a potential buffer overflow when unescaping backslashes in
the command's arguments. Normally, sudo escapes special characters
when running a command via a shell (sudo -s or sudo -i). However,
it was also possible to run sudoedit with the -s or -i flags in
which case no escaping had actually been done, making a buffer
overflow possible. This fixes CVE-2021-3156.
Discovery 2021-01-26 Entry 2021-01-26 sudo
< 1.9.5p2
https://www.sudo.ws/stable.html#1.9.5p2
CVE-2021-3156
|
b4e5f782-442d-11ea-9ba9-206a8a720317 | sudo -- Potential bypass of Runas user restrictions
Todd C. Miller reports:
Sudo's pwfeedback option can be used to provide visual feedback
when the user is inputting their password. For each key press,
an asterisk is printed. This option was added in response to
user confusion over how the standard Password: prompt disables
the echoing of key presses. While pwfeedback is not enabled by
default in the upstream version of sudo, some systems, such as
Linux Mint and Elementary OS, do enable it in their default
sudoers files.
Due to a bug, when the pwfeedback option is enabled in the
sudoers file, a user may be able to trigger a stack-based buffer
overflow. This bug can be triggered even by users not listed in
the sudoers file. There is no impact unless pwfeedback has been
enabled.
Discovery 2020-01-30 Entry 2020-01-30 sudo
< 1.8.31
https://www.sudo.ws/alerts/pwfeedback.html
CVE-2019-18634
|
045944a0-6bca-11d9-aaa6-000a95bc6fae | sudo -- environmental variable CDPATH is not cleared
A sudo bug report says:
sudo doesn't unset the CDPATH variable, which leads to
possible security problems.
Discovery 2004-10-18 Entry 2005-01-21 Modified 2013-06-19 sudo
< 1.6.8.4
http://www.sudo.ws/bugs/show_bug.cgi?id=155
http://www.sudo.ws/pipermail/sudo-announce/2004-November/000044.html
|
2e8cdd36-c3cc-11e5-b5fe-002590263bf5 | sudo -- potential privilege escalation via symlink misconfiguration
MITRE reports:
sudoedit in Sudo before 1.8.15 allows local users to gain
privileges via a symlink attack on a file whose full path is defined
using multiple wildcards in /etc/sudoers, as demonstrated by
"/home/*/*/file.txt."
Discovery 2015-11-17 Entry 2016-01-26 sudo
< 1.8.15
CVE-2015-5602
ports/206590
https://www.exploit-db.com/exploits/37710/
https://bugzilla.sudo.ws/show_bug.cgi?id=707
http://www.sudo.ws/stable.html#1.8.15
|
3bf157fa-e1c6-11d9-b875-0001020eed82 | sudo -- local race condition vulnerability
Todd C. Miller reports:
A race condition in Sudo's command pathname handling
prior to Sudo version 1.6.8p9 that could allow a user with
Sudo privileges to run arbitrary commands.
Exploitation of the bug requires that the user be allowed
to run one or more commands via Sudo and be able to create
symbolic links in the filesystem. Furthermore, a sudoers
entry giving another user access to the ALL pseudo-command
must follow the user's sudoers entry for the race to
exist.
Discovery 2005-06-20 Entry 2005-06-20 Modified 2005-11-14 sudo
< 1.6.8.9
13993
CVE-2005-1993
http://marc.theaimsgroup.com/?l=bugtraq&m=111928183431376
|