Additional privilege escalation bug with sudoedit

Summary:

A flaw exists in sudo's -e option (aka sudoedit) in sudo versions 1.6.8 through 1.7.2p5 that may give a user with permission to run sudoedit the ability to run arbitrary commands. This bug is related to, but distinct from, CVE-2010-0426.

Sudo versions affected:

1.6.8 through 1.7.2p5 inclusive.

CVE ID:

This vulnerability has been assigned CVE-2010-1163 in the Common Vulnerabilities and Exposures database.

Details:

When sudo performs its command matching, there is a special case for pseudo-commands in the sudoers file (currently, the only pseudo-command is sudoedit). Unlike a regular command, pseudo-commands do not contain a path component.

Sudo's command matching routine expects actual commands to include one or more slash ('/') characters. The flaw is that sudo's path resolution code did not add a "./" prefix to commands found in the current working directory. This creates an ambiguity between a sudoedit command found in the cwd and the sudoedit pseudo-command in the sudoers file. As a result, a user may be able to run an arbitrary command named sudoedit in the current working directory. For the attack to be successful, the PATH environment variable must include "." and may not include any other directory that contains a sudoedit command.

Impact:

Exploitation of the bug requires that the sudoers file be configured to allow the attacker to run sudoedit. If no users have been granted access to sudoedit there is no impact. Additionally, if either the ignore_dot or secure_path sudoers options are enabled the attack will fail.

Successful exploitation of the bug will allow a user to run arbitrary commands for whichever user they have permission to run sudoedit as, typically root.

Workaround:

The ignore_dot sudoers option can be enabled which will prevent the problem. For example:
Defaults ignore_dot

Fix:

The bug is fixed in sudo 1.7.2p6 and 1.6.9p22

Credit:

Thanks to Valerio Costamagna for finding the bug and Agazzini Maurizio for alerting me to the problem.

See Also:

The other sudoedit escalation bug.