SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Sudo Vendors:   Miller, Todd C.
(Immunix Issues Fix) Sudo System Administration Utility May Allow Local Users to Obtain Root Privileges on the Host By Executing Code Via Sendmail
SecurityTracker Alert ID:  1003286
SecurityTracker URL:  http://securitytracker.com/id/1003286
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 18 2002
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   The SuSE Security Team reported a vulnerability in sudo. A local user may be able to execute code on the host and obtain root privileges.

It is reported that a local user may be able to cause sudo to log failed sudo invocations and execute mail with root privileges while retaining some environment settings. Depending on the mail server that is installed, the local user could execute mail (e.g., sendmail in certain configurations, postfix) with root privileges and execute arbitrary code with root privileges.

Impact:   A local user could obtain root privileges on the host.
Solution:   The vendor has released a fix and recommends that users with postfix as their MTA should upgrade immediately if there are any untrusted user accounts on the machine. Users with other MTAs should upgrade as soon as convenient.

Some workaround steps are described in the Immunix advisory (see the Source Message).

Precompiled binary packages for Immunix 7.0 are available at:
http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/sudo-1.6.5p1-1_imnx.i386.rpm

Source package for Immunix 7.0 is available at:
http://download.immunix.org/ImmunixOS/7.0/updates/SRPMS/sudo-1.6.5p1-1_imnx.src.rpm

Immunix OS 7.0 md5sums:
0e41c0231a226417cf0c5e0d009ac4fe RPMS/sudo-1.6.5p1-1_imnx.i386.rpm
2e21a908ad9a7f63ae604bb0a5058ba9 SRPMS/sudo-1.6.5p1-1_imnx.src.rpm

Vendor URL:  www.courtesan.com/sudo/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Immunix)

Message History:   This archive entry is a follow-up to the message listed below.
Jan 14 2002 Sudo System Administration Utility May Allow Local Users to Obtain Root Privileges on the Host By Executing Code Via Mail Transfer Agent (MTA)



 Source Message Contents

Subject:  [Immunix-announce] ImmunixOS 7.0 sudo update



--CqVFb5A8LpjztvkH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: 8bit            

-----------------------------------------------------------------------
	Immunix OS Security Advisory

Packages updated:	sudo
Affected products:	ImmunixOS 7.0
Bugs fixed:		immunix/1944
Date:			Thu Jan 17 2002
Advisory ID:		IMNX-2002-70-001-01
Author:			Seth Arnold <sarnold@wirex.com>
-----------------------------------------------------------------------

Description:
  Sebastian Krahmer from the SuSE Security Team has discovered a bug in
  sudo versions less than 1.6.4 did not clean the user-supplied
  environment before sending mail to the administrator reporting errors.
  Because the environment is not cleaned, an MTA could be passed an
  unexpected environment while running as root -- with at least postfix,
  and probably other MTAs, this can be trivially turned into a root
  exploit.

  This update to sudo 1.6.5p1 fixes this problem by preventing any
  user-set environment variables from affecting the mail program started
  in response to mail events, such as a user executing sudo without
  proper privileges in sudoers(5).

  Users with postfix should upgrade immediately if there are any
  untrusted user accounts on the machine. Users with other MTAs should
  upgrade as soon as convenient. In the meantime, here are some
  sudoers(5) rules that can help mitigate the problem:

  Defaults !mail_always
  Defaults !mail_no_user
  Defaults !mail_no_host
  Defaults !mail_no_perms

  (If using these rules, please recall to use visudo(8) to edit the
  sudoers(5) file.)

  Thanks to Sebastian Krahmer and Todd Miller for the fixes.

Package names and locations:
  Precompiled binary packages for Immunix 7.0 are available at:
  http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/sudo-1.6.5p1-1_imnx.i386.rpm

  Source package for Immunix 7.0 is available at:
  http://download.immunix.org/ImmunixOS/7.0/updates/SRPMS/sudo-1.6.5p1-1_imnx.src.rpm

Immunix OS 7.0 md5sums:
  0e41c0231a226417cf0c5e0d009ac4fe  RPMS/sudo-1.6.5p1-1_imnx.i386.rpm
  2e21a908ad9a7f63ae604bb0a5058ba9  SRPMS/sudo-1.6.5p1-1_imnx.src.rpm

GPG verification:                                                               
  Our public key is available at <http://wirex.com/security/GPG_KEY>.           
  *** NOTE *** This key is different from the one used in advisories            
  IMNX-2001-70-020-01 and earlier.

Online version of all Immunix 6.2 updates and advisories:
  http://immunix.org/ImmunixOS/6.2/updates/

Online version of all Immunix 7.0-beta updates and advisories:
  http://immunix.org/ImmunixOS/7.0-beta/updates/

Online version of all Immunix 7.0 updates and advisories:
  http://immunix.org/ImmunixOS/7.0/updates/

NOTE:
  Ibiblio is graciously mirroring our updates, so if the links above are
  slow, please try:
    ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
  or one of the many mirrors available at:
    http://www.ibiblio.org/pub/Linux/MIRRORS.html

  ImmunixOS 6.2 is no longer officially supported.

Contact information:
  To report vulnerabilities, please contact security@wirex.com. WireX 
  attempts to conform to the RFP vulnerability disclosure protocol
  <http://www.wiretrip.net/rfp/policy.html>.

--CqVFb5A8LpjztvkH
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjxHpWQACgkQVQcWL60UVMtEngCdFhjocEyjCbBYv7N/xO70kCpk
GrEAnjpV8mghZy2Xz0ds7j7XxYujLQ4U
=a3Rp
-----END PGP SIGNATURE-----

--CqVFb5A8LpjztvkH--
_______________________________________________
Immunix-announce mailing list
Immunix-announce@wirex.com
http://mail.wirex.com/mailman/listinfo/immunix-announce


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC