SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Sudo Vendors:   Miller, Todd C.
(Fix is Available) Re: Sudo System Administration Utility May Allow Local Users to Obtain Root Privileges on the Host By Executing Code Via Sendmail
SecurityTracker Alert ID:  1003238
SecurityTracker URL:  http://securitytracker.com/id/1003238
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 15 2002
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   The SuSE Security Team reported a vulnerability in sudo. A local user may be able to execute code on the host and obtain root privileges.

It is reported that a local user may be able to cause sudo to log failed sudo invocations and execute mail with root privileges while retaining some environment settings. Depending on the mail server that is installed, the local user could execute mail (e.g., sendmail in certain configurations, postfix) with root privileges and execute arbitrary code with root privileges.

Impact:   A local user could obtain root privileges on the host.
Solution:   A fixed version (1.6.4) is available at the following locations:

Master WWW site:
http://www.sudo.ws/sudo/dist/

WWW Mirrors:
http://sudo.stikman.com/</a> (Los Angeles, California, USA)
http://mirage.informationwave.net/sudo/</a> (Fanwood, New Jersey, USA)
http://www.c0r3dump.com/sudo/</a> (Edmonton, Canada)
http://sudo.cdu.elektra.ru/</a> (Russia)

Master FTP sites:
ftp.sudo.ws:/pub/sudo/
ftp.cs.colorado.edu:/pub/sudo/

FTP Mirrors:
ftp.cs.colorado.edu:/pub/sudo/ (Boulder, Colorado, USA)
ftp.stikman.com:/pub/sudo/ (Los Angeles, California, USA)
ftp.uu.net:/pub/security/sudo/ (Falls Church, Virginia, USA)
ftp.tux.org:/pub/security/sudo/ (Beltsville, Maryland, USA)
coast.cs.purdue.edu:/pub/tools/unix/sysutils/sudo/ (West Lafayette, Indiana, USA)
ftp.uwsg.indiana.edu:/pub/sudo/ (Bloomington, Indiana, USA)
sudobash.com:/pub/sudo/ (Ypsilanti, Michigan, USA)
ftp.tamu.edu:/pub/mirrors/ftp.courtesan.com/ (College Station, Texas, USA)
ftp.rge.com:/pub/admin/sudo/ (Rochester, New York, USA)
mirage.informationwave.net:/sudo/ (Fanwood, New Jersey, USA)
ftp.wiretapped.net:/pub/security/host-security/sudo/ (Australia)
ftp.tuwien.ac.at:/utils/admin-tools/sudo/ (Austria)
sunsite.ualberta.ca:/pub/Mirror/sudo/ (Alberta, Canada)
ftp.csc.cuhk.edu.hk:/pub/packages/unix-tools/sudo/ (Hong Kong, China)
ftp.eunet.cz:/pub/security/sudo/ (Czechoslovakia)
ftp.umds.ac.uk:/pub/sudo/ (Great Britain)
ftp.tvi.tut.fi:/pub/security/unix/sudo/ (Finland)
ftp.lps.ens.fr:/pub/software/sudo/ (France)
ftp.crihan.fr:/pub/security/sudo/ (France)
ftp.rz.uni-osnabrueck.de:/pub/unix/security/sudo/ (Germany)
ftp.win.ne.jp:/pub/misc/sudo/ (Japan)
ftp.st.ryukoku.ac.jp:/pub/security/tool/sudo/ (Japan)
ftp.eos.hokudai.ac.jp:/pub/misc/sudo/ (Japan)
ftp.tokyonet.ad.jp:/pub/security/sudo/ (Japan)
ftp.kobe-u.ac.jp:/pub/util/security/tool/sudo/ (Japan)
ftp.cin.nihon-u.ac.jp:/pub/util/sudo/ (Japan)
ftp.fujitsu.co.jp:/pub/misc/sudo/ (Japan)
core.ring.gr.jp:/pub/misc/sudo/ (Japan)
ftp.ring.gr.jp:/pub/misc/sudo/ (Japan)
ftp.ayamura.org:/pub/sudo/ (Japan)
ftp.iphil.net:/pub/sudo/ (Makati City, Philippines)
ftp.icm.edu.pl:/vol/wojsyl5/sudo/ (Poland)
ftp.assist.ro:/pub/mirrors/ftp.courtesan.com/pub/sudo/ (Romania)
ftp.sai.msu.su:/pub/unix/security/ (Russia)
ftp.cdu.elektra.ru:/pub/unix/security/sudo/ (Russia)
ftp.mc.hik.se:/pub/unix/security/sudo/ (Sweden)
ftp.sekure.net:/pub/sudo/ (Sweden)
ftp.edu.tw:/UNIX/sudo/ (Taiwan)
ftp.comu.edu.tr:/pub/linux/prog/sudo/ (Turkey)

Vendor URL:  www.courtesan.com/sudo/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Jan 14 2002 Sudo System Administration Utility May Allow Local Users to Obtain Root Privileges on the Host By Executing Code Via Mail Transfer Agent (MTA)



 Source Message Contents

Subject:  Sudo version 1.6.4 now available (fwd)



---------- Forwarded message ----------
Date: Mon, 14 Jan 2002 07:44:02 -0700
From: Todd C. Miller <Todd.Miller@courtesan.com>
To: sudo-announce@courtesan.com
Subject: Sudo version 1.6.4 now available

Sudo version 1.6.4 is now available (ftp sites listed at the end).

There are some thing I had promised for the next release that are
not in 1.6.4 due to the large changes in the parser that these
changes require to work properly.  Nonetheless this release does
fix the majority of problems in the sudo bugs database and adds
features a number of people have asked for.  I hope to make more
frequent releases in the near future (it has been quite a while
since 1.6.3 was originally released).

 - todd

Major changes since 1.6.3p7:

 o Visudo now checks for the existence of an editor and gives a sensible
   error if it does not exist.

 o The path to the editor for visudo is now a colon-separated list of
   allowable editors.  If the user has $EDITOR set and it matches
   one of the allowed editors that editor will be used.  If not,
   the first editor that actually exists is used.

 o Allow special characters (including '#') to be embedded in pathnames
   if quoted by a '\\'.  The quoted chars will be dealt with by fnmatch().
   Unfortunately, 'sudo -l' still prints the '\\'.

 o Added the always_set_home option.

 o Strip NLSPATH and PATH_LOCALE out from the environment to prevent
   reading of protected files by a less privileged user.

 o Added support for BSD authentication and associated -a flag.

 o Added stay_setuid option for systems that have libraries that perform
   extra paranoia checks in system libraries for setuid programs.

 o Environment munging is now done by hand.  The environment is zeroed
   upon sudo startup and a new environment is built before the command
   is executed.  This means we don't rely on getenv(3), putenv(3),
   or setenv(3).

 o Added a class of environment variables that are only cleared if they
   contain '/' or '%' characters.

 o Use stashed user_gid when checking against exempt gid since sudo
   sets its gid to SUDOERS_GID, making getgid() return that, not the
   real gid.  Fixes problem with setting exempt group == SUDOERS_GID.

 o Regenerated configure script with autoconf-2.52 (required some
   tweaking of configure.in and friends).

 o Added mail_badpass option to send mail when the user does not
   authenticate successfully.

 o Added env_reset Defaults option to reset the environment to
   a clean slate.  Also implemented env_keep Defaults option
   to specify variables to be preserved when resetting the
   environment.

 o Added env_check and env_delete Defaults options to allow the admin
   to modify the builtin list of environment variables to remove.

 o If timestamp_timeout < 0 then the timestamp never expires.  This
   allows users to manage their own timestamps and create or delete
   them via 'sudo -v' and 'sudo -k' respectively.

 o Authentication routines that use sudo's tgetpass() now accept
   ^C or ^Z at the password prompt and sudo will act appropriately.

 o Added a check-only mode to visudo to check an existing sudoers
   file for sanity.

 o Visudo can now edit an alternate sudoers file.

 o If sudo is configured with S/Key support and the system has
   skeyaccess(3) use that to determine whether or not to allow
   a normal Unix password or just S/Key.

 o Fixed CIDR handling in sudoers.

 o Fixed a segv if the local hostname is not resolvable and
   the 'fqdn' option is set.

 o "listpw=never" was not having an effect for users who did not
   appear in sudoers--now it does.

 o The --without-sendmail option now works on systems with
   a /usr/include/paths.h file that defines _PATH_SENDMAIL.

 o Removed the "secure_path" Defaults option as it does not work and
   cannot work until the parser is overhauled.

 o Added new -P flag and "preserve_groups" sudoers option to cause
   sudo to preserve the group vector instead of setting it to that
   of the target user.  Previously, if the target user was root
   the group vector was not changed.  Now it is always changed unless
   the -P flag or "preserve_groups" option was given.

 o If find_path() fails as root, try again as the invoking user (useful
   for NFS).  Idea from Chip Capelik.

 o Use setpwent()/endpwent() and its shadow equivalents to be sure
   the passwd/shadow file gets closed.

 o Use getifaddrs(3) to get the list of network interfaces if it is
   available.

 o Dump list of local IP addresses and environment variables to clear
   when 'sudo -V' is run as root.

 o Wrap each call to syslog() with openlog()/closelog() since some
   things (such as PAM) may call closelog(3) behind sudo's back.

 o The LOGNAME and USER environment variables are now set if the user
   specified a target uid and that uid exists in the password database.

 o Now call pam_setcreds() to setup creds for the target user when
   PAM is in use.  On Linux this often sets resource limits.

[ Note that I'm now using the sudo.ws domain instead of courtesan.com
  for sudo-related things.  This is just a cosmetic change as the
  sudo.ws addresses still point to the same machine they always have. ]

Master WWW site:
    http://www.sudo.ws/sudo/dist/

WWW Mirrors:
    http://sudo.stikman.com/</a> (Los Angeles, California, USA)
    http://mirage.informationwave.net/sudo/</a> (Fanwood, New Jersey, USA)
    http://www.c0r3dump.com/sudo/</a> (Edmonton, Canada)
    http://sudo.cdu.elektra.ru/</a> (Russia)

Master FTP sites:
    ftp.sudo.ws:/pub/sudo/
    ftp.cs.colorado.edu:/pub/sudo/

FTP Mirrors:
    ftp.cs.colorado.edu:/pub/sudo/ (Boulder, Colorado, USA)
    ftp.stikman.com:/pub/sudo/ (Los Angeles, California, USA)
    ftp.uu.net:/pub/security/sudo/ (Falls Church, Virginia, USA)
    ftp.tux.org:/pub/security/sudo/ (Beltsville, Maryland, USA)
    coast.cs.purdue.edu:/pub/tools/unix/sysutils/sudo/ (West Lafayette, Indiana, USA)
    ftp.uwsg.indiana.edu:/pub/sudo/ (Bloomington, Indiana, USA)
    sudobash.com:/pub/sudo/ (Ypsilanti, Michigan, USA)
    ftp.tamu.edu:/pub/mirrors/ftp.courtesan.com/ (College Station, Texas, USA)
    ftp.rge.com:/pub/admin/sudo/ (Rochester, New York, USA)
    mirage.informationwave.net:/sudo/ (Fanwood, New Jersey, USA)
    ftp.wiretapped.net:/pub/security/host-security/sudo/ (Australia)
    ftp.tuwien.ac.at:/utils/admin-tools/sudo/ (Austria)
    sunsite.ualberta.ca:/pub/Mirror/sudo/ (Alberta, Canada)
    ftp.csc.cuhk.edu.hk:/pub/packages/unix-tools/sudo/ (Hong Kong, China)
    ftp.eunet.cz:/pub/security/sudo/ (Czechoslovakia)
    ftp.umds.ac.uk:/pub/sudo/ (Great Britain)
    ftp.tvi.tut.fi:/pub/security/unix/sudo/ (Finland)
    ftp.lps.ens.fr:/pub/software/sudo/ (France)
    ftp.crihan.fr:/pub/security/sudo/ (France)
    ftp.rz.uni-osnabrueck.de:/pub/unix/security/sudo/ (Germany)
    ftp.win.ne.jp:/pub/misc/sudo/ (Japan)
    ftp.st.ryukoku.ac.jp:/pub/security/tool/sudo/ (Japan)
    ftp.eos.hokudai.ac.jp:/pub/misc/sudo/ (Japan)
    ftp.tokyonet.ad.jp:/pub/security/sudo/ (Japan)
    ftp.kobe-u.ac.jp:/pub/util/security/tool/sudo/ (Japan)
    ftp.cin.nihon-u.ac.jp:/pub/util/sudo/ (Japan)
    ftp.fujitsu.co.jp:/pub/misc/sudo/ (Japan)
    core.ring.gr.jp:/pub/misc/sudo/ (Japan)
    ftp.ring.gr.jp:/pub/misc/sudo/ (Japan)
    ftp.ayamura.org:/pub/sudo/ (Japan)
    ftp.iphil.net:/pub/sudo/ (Makati City, Philippines)
    ftp.icm.edu.pl:/vol/wojsyl5/sudo/ (Poland)
    ftp.assist.ro:/pub/mirrors/ftp.courtesan.com/pub/sudo/ (Romania)
    ftp.sai.msu.su:/pub/unix/security/ (Russia)
    ftp.cdu.elektra.ru:/pub/unix/security/sudo/ (Russia)
    ftp.mc.hik.se:/pub/unix/security/sudo/ (Sweden)
    ftp.sekure.net:/pub/sudo/ (Sweden)
    ftp.edu.tw:/UNIX/sudo/ (Taiwan)
    ftp.comu.edu.tr:/pub/linux/prog/sudo/ (Turkey)
____________________________________________________________
sudo-announce mailing list <sudo-announce@sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-announce

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC