Sudo Runas group match Local Privilege Escalation Vulnerability
Release date: 2010-09-07
Updated on: 2010-09-08
Affected Systems:
Todd Miller Sudo 1.7.0-1.7.4 p3
Unaffected system:
Todd Miller Sudo 1.7.4 p4
Description:
--------------------------------------------------------------------------------
Bugtraq id: 43019
CVE (CAN) ID: CVE-2010-2956
Sudo is a program that allows users to execute commands safely with other user permissions. It is widely used in Linux and Unix operating systems.
You can specify the list of users and groups that can run commands in sudoers file items. For example, for the following sudoers items:
Millert ALL = (lp: operator)/usr/bin/lpq,/usr/bin/lprm,/usr/bin/lpc
The millert user can run/usr/bin/lpq,/usr/bin/lprm or/usr/bin/lpc together with the lp user, operator group, or the preceding permissions. In this case, the following operations are allowed:
$ Sudo-g operator/usr/bin/lpc
$ Sudo-u lp/usr/bin/lprm
$ Sudo-g operator-u lp/usr/bin/lpq
However, due to an error in the matching logic, as long as the allowed group is specified, millert users can run the listed commands with any user's permissions. For example, even if the user does not have root permissions, the following permissions are allowed:
$ Sudo-g operator-u root/usr/bin/lpq
<* Source: Markus Wuethrich
Link: http://secunia.com/advisories/41316/
Http://www.sudo.ws/sudo/alerts/runas_group.html
Http://security.gentoo.org/glsa/201009-03.xml
*>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Todd Miller
-----------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://www.sudo.ws/sudo/dist/
Gentoo
------
Gentoo has released a Security Bulletin (GLSA 201009-03) and corresponding patches for this purpose:
GLSA 201009-03: sudo: Privilege Escalation
Link: http://security.gentoo.org/glsa/201009-03.xml
All sudo users should upgrade to the latest version:
# Emerge -- sync
# Emerge -- ask -- oneshot -- verbose "> = 3Dapp-admin/sudo-1.7.4_p3-r1"