SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Sudo Vendors:   Miller, Todd C.
(FreeBSD Issues Fix) Sudo System Administration Utility May Allow Local Users to Obtain Root Privileges on the Host By Executing Code Via Sendmail
SecurityTracker Alert ID:  1003267
SecurityTracker URL:  http://securitytracker.com/id/1003267
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 16 2002
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   The SuSE Security Team reported a vulnerability in sudo. A local user may be able to execute code on the host and obtain root privileges.

It is reported that a local user may be able to cause sudo to log failed sudo invocations and execute mail with root privileges while retaining some environment settings. Depending on the mail server that is installed, the local user could execute mail (e.g., sendmail in certain configurations, postfix) with root privileges and execute arbitrary code with root privileges.

Impact:   A local user could obtain root privileges on the host.
Solution:   The vendor has described a workaround and has released a fix.

The workaround is to deinstall the sudo port/package if you have it installed.

The following options are available to correct the flaw:

1) Upgrade your entire ports collection and rebuild the port.

2) Deinstall the old package and install a new package dated after the correction date, obtained from the following directories:

[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/sudo-1.6.4.1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/sudo-1.6.4.1.tgz

[alpha]
Packages are not automatically generated for the alpha architecture at this time due to lack of build resources.

NOTE: It may be several days before updated packages are available.

3) Download a new port skeleton for the sudo port from:

http://www.freebsd.org/ports/

and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from:

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz

The following list contains the revision numbers of each file that was corrected in the FreeBSD ports collection:

Path, Revision

ports/security/sudo/Makefile, 1.43
ports/security/sudo/distinfo, 1.26

Vendor URL:  www.courtesan.com/sudo/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  UNIX (FreeBSD)

Message History:   This archive entry is a follow-up to the message listed below.
Jan 14 2002 Sudo System Administration Utility May Allow Local Users to Obtain Root Privileges on the Host By Executing Code Via Mail Transfer Agent (MTA)



 Source Message Contents

Subject:  FreeBSD Ports Security Advisory FreeBSD-SA-02:06.sudo


-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-02:06                                            Security Advisory
                                                                FreeBSD, Inc.

Topic:          sudo port may enable local privilege escalation

Category:       ports
Module:         sudo
Announced:      2002-01-16
Credits:        Sebastian Krahmer <krahmer@suse.de>
Affects:        Ports collection prior to the correction date
Corrected:      2002-01-15 02:56:33 UTC
FreeBSD only:   NO

I.   Background

Sudo is a program designed to allow a sysadmin to give limited root
privileges to users and log root activity.

II.  Problem Description

The sudo port, versions prior to sudo-1.6.4.1, contains a
vulnerability that may allow a local user to obtain superuser
privileges.

If a user who has not been authorized by the system administrator
(listed in the `sudoers' file) attempts to use sudo, sudo will send an
email alert.  When it does so, it invokes the system mailer with
superuser privileges, and with most of the user's environment intact.

The sudo port is not installed by default, nor is it "part of
FreeBSD" as such: it is part of the FreeBSD ports collection, which
contains over 6000 third-party applications in a ready-to-install
format. The ports collection shipped with FreeBSD 4.4 contains this
problem since it was discovered after the release.

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.

III. Impact

If the system mailer's behavior can be influenced by the settings of
environmental variables, then an attacker may obtain superuser
privileges.  There is at least one mailer (postfix) that can be
influenced in this fashion.

IV.  Workaround

1) Deinstall the sudo port/package if you have it installed.

V.   Solution

1) Upgrade your entire ports collection and rebuild the port.

2) Deinstall the old package and install a new package dated after the
correction date, obtained from the following directories:

[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/sudo-1.6.4.1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/sudo-1.6.4.1.tgz

[alpha]
Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources.

NOTE: It may be several days before updated packages are available.

3) Download a new port skeleton for the sudo port from:

http://www.freebsd.org/ports/

and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in the FreeBSD ports collection.

Path                                                             Revision
- -------------------------------------------------------------------------
ports/security/sudo/Makefile                                         1.43
ports/security/sudo/distinfo                                         1.26
- -------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBPEYIq1UuHi5z0oilAQEgTAP/YXD+lSngGwbloUn09xvwgn8i5uGaEX5O
Rj1v7XM3HRT/Gmr1CJiK7LtMbj/iilHzC2YiTAUHyxYzdEU7k9SnLgxK6rcSYNql
5wkYL1asHQhFPYejEqQVPKejrr4L/+/bYmQbkLKc9EMdErnhYoNrw6QbN+XvmO6p
oAzSK07ixi4=
=rmb8
-----END PGP SIGNATURE-----

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security-notifications" in the body of the message

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC