Sudo version 1.6.8p9 now available, fixes security issue.

From: Todd C. Miller (Todd.Miller_at_courtesan.com)
Date: 06/20/05

  • Next message: Simon L. Nielsen: "Another tcpdump BGP infinite loop vulnerability (CAN-2005-1267)" 
    To: bugtraq@securityfocus.com
Date: Mon, 20 Jun 2005 08:24:43 -0600

    Sudo version 1.6.8, patchlevel 9 is now available, which fixes a
    race condition in Sudo's pathname validation. This is a security
    issue.

    Summary:
        A race condition in Sudo's command pathname handling prior to
        Sudo version 1.6.8p9 that could allow a user with Sudo privileges
        to run arbitrary commands.

    Sudo versions affected:
        Sudo versions 1.3.1 up to and including 1.6.8p8.

    Details:
        When a user runs a command via Sudo, the inode and device numbers
        of the command are compared to those of commands with the same
        basename found in the sudoers file (see the Background paragraph
        for more information). When a match is found, the path to the
        matching command listed in the sudoers file is stored in the
        variable safe_cmnd, which is later used to execute the command.
        Because the actual path executed comes from the sudoers file
        and not directly from the user, Sudo should be safe from race
        conditions involving symbolic links. However, if a sudoers
        entry containing the pseudo-command ALL follows the user's
        sudoers entry the contents of safe_cmnd will be overwritten
        with the path the user specified on the command line, making
        Sudo vulnerable to the aforementioned race condition.

    Impact:
        Exploitation of the bug requires that the user be allowed to
        run one or more commands via Sudo and be able to create symbolic
        links in the filesystem. Furthermore, a sudoers entry giving
        another user access to the ALL pseudo-command must follow the
        user's sudoers entry for the race to exist.

        For example, the following sudoers file is not affected by the
        bug:

            root server=ALL
            someuser server=/bin/echo

        Whereas this one would be:

            someuser server=/bin/echo
            root server=ALL

    Fix:
        The bug is fixed in sudo 1.6.8p9.

    Workaround:
        The administrator can order the sudoers file such that all
        entries granting Sudo ALL privileges precede all other entries.

    Credit:
        This problem was brought to my attention by Charles Morris.

    Background:
        The reason Sudo uses the inode for command matching is to make
        relative paths work and to avoid problems caused by automounters
        where the path to be executed is not the same as the absolute
        path to the command.

        Another possible approach is to use the realpath() function to
        find the true path. Sudo does not user realpath() because that
        function is not present in all operating systems and is often
        vulnerable to race conditions where it does exist.

    The next major Sudo release will be version 1.7. For information
    on what to expect in sudo 1.7, see http://www.sudo.ws/sudo/future.html
    You can help speed the release of Sudo 1.7 by purchasing a support
    contract or making a donation (see below).

    Commercial support is available for Sudo. If your organization
    uses Sudo, please consider purchasing a support contract to help
    fund future Sudo development at http://www.sudo.ws/support.html
    Custom enhancements to Sudo may also be contracted.

    You can also help out by making a donation or "purchase" a copy
    of Sudo at http://www.sudo.ws/purchase.html

    Master Web Site:
        http://www.sudo.ws/sudo/

    Web Site Mirrors:
        http://www.mirrormonster.com/sudo/ (Fremont, California, USA)
        http://sudo.stikman.com/ (Los Angeles, California, USA)
        http://sudo.tolix.org/ (California, USA)
        http://mirage.informationwave.net/sudo/ (Fanwood, New Jersey, USA)
        http://www.mrv2k.net/sudo/ (Bend, Oregon, USA)
        http://sudo.rtin.bz/ (Philadelphia, Pennsylvania, USA)
        http://www.signal42.com/mirrors/sudo_www/ (USA)
        http://sudo.xmundo.net/ (Argentina)
        http://sudo.planetmirror.com/ (Australia)
        http://mirror.mons-new-media.de/sudo/ (Germany)
        http://sunshine.lv/sudo/ (Latvia)
        http://rexem.uni.cc/sudo/ (Kaunas, Lithuania)
        http://sudo.cdu.elektra.ru/ (Russia)
        http://sudo.nctu.edu.tw/ (Taiwan)

    FTP Mirrors:
        ftp://plier.ucar.edu/pub/sudo/ (Boulder, Colorado, USA)
        ftp://ftp.cs.colorado.edu/pub/sudo/ (Boulder, Colorado, USA)
        ftp://obsd.isc.org/pub/sudo/ (Redwood City, California, USA)
        ftp://ftp.stikman.com/pub/sudo/ (Los Angeles, California, USA)
        ftp://ftp.tux.org/pub/security/sudo/ (Beltsville, Maryland, USA)
        ftp://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/sudo/ (West Lafayette, Indiana, USA)
        ftp://ftp.uwsg.indiana.edu/pub/security/sudo/ (Bloomington, Indiana, USA)
        ftp://ftp.rge.com/pub/admin/sudo/ (Rochester, New York, USA)
        ftp://mirror.sg.depaul.edu/pub/security/sudo/ (Chicago, Illinois, USA)
        ftp://sudo.xmundo.net/pub/mirrors/sudo/ (Argentina)
        ftp://ftp.wiretapped.net/pub/security/host-security/sudo/ (Australia)
        ftp://ftp.tuwien.ac.at/utils/admin-tools/sudo/ (Austria)
        ftp://sunsite.ualberta.ca/pub/Mirror/sudo/ (Alberta, Canada)
        ftp://ftp.csc.cuhk.edu.hk/pub/packages/unix-tools/sudo/ (Hong Kong, China)
        ftp://ftp.eunet.cz/pub/security/sudo/ (Czechoslovakia)
        ftp://ftp.ujf-grenoble.fr/sudo/ (France)
        ftp://netmirror.org/ftp.sudo.ws/ (Frankfurt, Germany)
        ftp://ftp.win.ne.jp/pub/misc/sudo/ (Japan)
        ftp://ftp.st.ryukoku.ac.jp/pub/security/tool/sudo/ (Japan)
        ftp://ftp.cin.nihon-u.ac.jp/pub/misc/sudo/ (Japan)
        ftp://core.ring.gr.jp/pub/misc/sudo/ (Japan)
        ftp://ftp.ring.gr.jp/pub/misc/sudo/ (Japan)
        ftp://ftp.tpnet.pl/d6/ftp.sudo.ws/ (Poland)
        ftp://ftp.cdu.elektra.ru/pub/unix/security/sudo/ (Russia)
        ftp://ftp.nsysu.edu.tw/Unix/Security/Sudo/ (Taiwan)

    HTTP Mirrors:
        http://www.mirrormonster.com/sudo/dist/ (Fremont, California, USA)
        http://sudo.tolix.org/ftp/ (California, USA)
        http://sudo.mirror99.com/ (San Jose, California, USA)
        http://www.signal42.com/mirrors/sudo_ftp/ (California, USA)
        http://www.rge.com/pub/admin/sudo/ (Rochester, New York, USA)
        http://probsd.org/sudoftp/ (East Coast, USA)
        http://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/sudo/ (West Lafayette, Indiana, USA)
        http://www.signal42.com/mirrors/sudo_ftp/ (California, USA)
        http://netmirror.org/mirror/ftp.sudo.ws/ (Frankfurt, Germany)
        http://mirror.mons-new-media.de/sudo_ftp/ (Frankfurt, Germany)
        http://core.ring.gr.jp/archives/misc/sudo/ (Japan)
        http://www.ring.gr.jp/archives/misc/sudo/ (Japan)
        http://ftp.tpnet.pl/vol/d6/ftp.sudo.ws/ (Poland)
        http://sudo.tsuren.net/dist/ (Moscow, Russian Federation)
        http://ftp.nsysu.edu.tw/Unix/Security/Sudo/ (Taiwan)

  • Next message: Simon L. Nielsen: "Another tcpdump BGP infinite loop vulnerability (CAN-2005-1267)"

    Relevant Pages

    • Re: [kde] su identification
      ... assumes that you wish to invoke the root account and will demand Root ... A user may ONLY sudo as allowed in the /etc/sudoers ... allowing a command with any parameters ... This config allows my normal user to do whatever he'd normally be able to ...
      (KDE)
    • Re: Apple recommending anti-virus software for Macs?
      ... > To be ultra-safe with the 'rm' command, ... Not a bad idea for root, It would drive me nuts in my user account. ... downloads directory and executing it. ... That I type an EOF is a trivial difference versus 'sudo' exiting ...
      (comp.sys.mac.system)
    • Re: Sudo
      ... >> in as adminB, then the system sees adminB on the ... >> If userA is not in sudoers, ... >> The sudo command itself only works for that command. ...
      (alt.linux)
    • Re: any way to track commands of a user logged in through ssh
      ... applies _to that command only_. ... the command they want to run with 'sudo', ... I use/run a Shell command that requires 'root' privileges...Especially ... So what do you think about creating a separate 'group' for certain ...
      (comp.os.linux.misc)
    • [UNIX] Sudo Race Condition Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A race condition with the Sudo command pathname handling allows a local ... When a user runs a command via Sudo, the inode and device numbers of the ... listed in the sudoers file is stored in the variable safe_cmnd, ...
      (Securiteam)