SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Sudo Vendors:   Miller, Todd C.
(EnGarde Secure Linux Releases Fix) Re: Sudo Administration Utility May Give Local Users Root-Level Access
SecurityTracker Alert ID:  1001976
SecurityTracker URL:  http://securitytracker.com/id/1001976
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 11 2001
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to version 1.6.3p6
Description:   The Sudo super user administration utility contains a vulnerability that allows a local user to execute arbitrary shell code on the server leading to root-level access.

Sudo is an application that is, by design, installed with set userid (suid) privileges. It is intended to allow a local user to execute certain commands under the privileges of another user (such as root) while providing command logging.

The logging code reportedly contains a a buffer overflow.

Impact:   A local user could execute arbitrary shell code on the server leading to root-level access.
Solution:   The vendor has released a fix. See the Source Message for the vendor's advisory.
Vendor URL:  www.courtesan.com/sudo/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (EnGarde)

Message History:   This archive entry is a follow-up to the message listed below.
Apr 19 2001 Sudo Administration Utility May Give Local Users Root-Level Access



 Source Message Contents

Subject:  [ESA-20010711-02] sudo elevated privileges vulnerability


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory                   July 11, 2001 |
| http://www.engardelinux.org/                           ESA-20010711-02 |
|                                                                        |
| Package:  sudo                                                         |
| Summary:  Users in the 'admin' group can gain elevated privileges.     |
+------------------------------------------------------------------------+

  EnGarde Secure Linux is a secure distribution of Linux that features
  improved access control, host and network intrusion detection, Web
  based secure remote management, complete e-commerce using AllCommerce,
  and integrated open source security tools.


OVERVIEW
- --------
  The configuration file for the sudo package which shipped with EnGarde
  Secure Linux 1.0.1 can allow users in the 'admin' group to gain elevated
  privileges by leveraging certain commands.


DETAIL
- ------
  Ralf Hemmann has, via the engarde-users mailing list, brought a security
  issue with our default /etc/sudoers file to our attention.

  In EnGarde Secure Linux, users in the 'admin' group have more privileges
  then a normal user.  They are allowed to execute more commands (such as
  su(1)) and are allowed to read certain configuration files that non-admin
  users are not allowed to.

  One of these commands is the sudo command, which allows a normal user to
  execute a command with elevated privileges.  By default, any user in the
  'admin' group can run several commands as defined in the /etc/sudoers
  file.

  However, some of these commands can lead to a total root shell since
  they are running with root privileges.

  We do not deem this a major security issue as users listed in the 'admin'
  group are normally trusted users.  However "trusted" does not mean you
  want them to have full-blown root access, so we are issuing this
  advisory.  Environments where untrusted users may be a member of the
  'admin' group should implement the countermeasures outlined in this
  advisory to eliminate the threat of a user gaining root privileges
  without their knowledge.


SOLUTION
- --------
  We are not issuing updated packages to fix this problem, as the
  /etc/sudoers file is a configuration file which would not be replaced
  by an updated package.


  Solution 1:  No Action at All
  -----------------------------
    No action needs to be taken if you:

      a) trust all of the users in your 'admin' group; and

      b) understand the security implications of allowing them to run
         commands that can lead to them having elevated privileges.

    If both these are true, then no action is required.


  Solution 2:  Remove the sudo Package
  ------------------------------------
    If you do not use sudo, and do not think you ever will, then it is
    safe to remove the sudo package completely.

    Before removing the package, the machine must either:

      a) be booted into a "standard" kernel; or
      b) have LIDS disabled.

    To disable LIDS, execute the command:

      # /sbin/lidsadm -S -- -LIDS

    To remove sudo, execute the command:

      # rpm -e sudo

    To reload the LIDS configuration, execute the command:

      # /usr/sbin/config_lids.pl

    To re-enable LIDS (if it was disabled), execute the command:

      # /sbin/lidsadm -S -- +LIDS

    The sudo package is now removed, and the issue is closed.


  Solution 3:  Remove the 'admin' Group Privileges
  ------------------------------------------------
    This solution to the problem uses the visudo(8) command to edit the
    /etc/sudoers file.  Please note that you will be brought in to vi(1)
    by default.  If you are not comfortable using vi then we recommend
    you change your EDITOR environment variable to pico(1) by typing:

      # export EDITOR=pico

    To remove admin privileges completely, execute the command:

      # visudo

    Now comment out or remove the line "%admin  ALL=ADMINCMDS, NETCMDS"
    from the user privilege specification.  This line should be the last
    line in the file.  The changes will take effect when you exit the
    editor, saving your changes.


UPDATED PACKAGES
- ----------------
  There are no updated packages at this time.


REFERENCES
- ----------

  Guardian Digital's public key:
    http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY

  Credit for the discovery of this bug goes to:
    Ralf Hemmann <ralf@convergence.de>

  sudo's Official Web Site:
    http://www.courtesan.com/sudo/

  Security Contact:    security@guardiandigital.com
  EnGarde Advisories:  http://www.engardelinux.org/advisories.html

- --------------------------------------------------------------------------
$Id: ESA-20010711-02-sudo,v 1.5 2001/07/11 16:56:28 rwm Exp $
- --------------------------------------------------------------------------
Author: Ryan W. Maple, <ryan@guardiandigital.com> 
Copyright 2001, Guardian Digital, Inc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7TI+3HD5cqd57fu0RAuWzAJ4yLpK/w9c2brddafxVScRAFyFFugCcDcxr
adpkjUmqTvdF70Dl5HK7DyM=
=UFxX
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
     To unsubscribe email engarde-security-request@engardelinux.org
         with "unsubscribe" in the subject of the message.

Copyright(c) 2001 Guardian Digital, Inc.                EnGardeLinux.org
------------------------------------------------------------------------




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC