SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Sudo Vendors:   Miller, Todd C.
(OpenBSD Issues Fix) Sudo System Administration Utility May Allow Local Users to Obtain Root Privileges on the Host By Executing Code Via Mail Transfer Agent (MTA)
SecurityTracker Alert ID:  1003293
SecurityTracker URL:  http://securitytracker.com/id/1003293
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 18 2002
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   The SuSE Security Team reported a vulnerability in sudo. A local user may be able to execute code on the host and obtain root privileges.

It is reported that a local user may be able to cause sudo to log failed sudo invocations and execute mail with root privileges while retaining some environment settings. Depending on the mail server that is installed, the local user could execute mail (e.g., sendmail in certain configurations, postfix) with root privileges and execute arbitrary code with root privileges.

Impact:   A local user could obtain root privileges on the host.
Solution:   The vendor has described a workaround and has released a fix.

OpenBSD notes that when the Postfix sendmail replacement is installed on a host, the host may be vulnerable. However, they indicate that the bug is not believed to be exploitable when sendmail, the MTA that OpenBSD ships with, is installed.

OpenBSD has supplied the following workarounds:

If you don't use sudo you can chmod 000 /usr/bin/sudo (or simply remove it).

If you use Postfix but do not wish to update sudo, you may edit the Postfix misc.cf configuration file and change the "import_environment" specification to only include "TZ". E.g.

import_environment = TZ

Patches are available that update sudo to version 1.6.5p1.

Patch for 3.0:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/011_sudo.patch

Patch for 2.9:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/019_sudo.patch

These patches have also been applied to the 2.9 and 3.0 patch branches. As of Fri Jan 18 18:12:35 GMT 2002 the anoncvs servers have not yet updated but should do so in a few hours.

No patch is available for OpenBSD 2.8 but you may compile the sudo sources from the 2.9 patch branch. E.g.

% cvs -d anoncvs@anoncvs.openbsd.org:/cvs get -rOPENBSD_2_9 \
src/usr.bin/sudo

% cd src/usr.bin/sudo

% make -f Makefile.bsd-wrapper

% make -f Makefile.bsd-wrapper install

Vendor URL:  www.courtesan.com/sudo/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  UNIX (OpenBSD)

Message History:   This archive entry is a follow-up to the message listed below.
Jan 14 2002 Sudo System Administration Utility May Allow Local Users to Obtain Root Privileges on the Host By Executing Code Via Mail Transfer Agent (MTA)



 Source Message Contents

Subject:  Sudo security hole


Summary:
    A security issue has been found by Sebastian Krahmer of the
    SuSE Security Team in Sudo versions 1.6.0 - 1.6.3p7.  When the
    Postfix sendmail replacement is installed on a machine an
    attacker may be able to gain root privileges by way of Sudo.
    The bug is not believed to be exploitable when sendmail, the
    mailer OpenBSD ships with, is installed.

Details:
    Starting with version 1.6.0 Sudo sends mail to the administrator
    as root to prevent the invoking user from killing the mail
    process and thus avoiding logging (in previous versions of Sudo
    the mail was sent as the invoking user).

    The security problem occurs because the environment that the
    sendmail program is run with comes from the user (with some
    potentially dangerous variables removed).  It is thus possible
    for an attacker to influence the mail program via environment
    variables.  This is compounded by the fact that since Sudo runs
    the mail program with both real and effective uids set to 0
    (root) the mailer cannot tell that it has been called from a
    setuid process and thus treat the environment with suspicion.

    Currently, the only sendmail replacement known to be affected
    is Postfix but it is possible that other mailers could be
    subverted by user control of the environment.  The sendmail
    shipped with OpenBSD does not appear to be vulnerable to this
    kind of subversion.

Workarounds:
    If you don't use sudo you can chmod 000 /usr/bin/sudo (or simply
    remove it).

    If you use Postscript but do not wish to update sudo, you may
    edit the Postscript misc.cf configuration file and change the
    "import_environment" specification to only include "TZ".  E.g.

	import_environment = TZ

Patches are available that update sudo to version 1.6.5p1.

Patch for 3.0:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/011_sudo.patch

Patch for 2.9:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/019_sudo.patch

These patches have also been applied to the 2.9 and 3.0 patch
branches.  As of Fri Jan 18 18:12:35 GMT 2002 the anoncvs servers
have not yet updated but should do so in a few hours.

No patch is available for OpenBSD 2.8 but you may compile the sudo
sources from the 2.9 patch branch.  E.g.

    % cvs -d anoncvs@anoncvs.openbsd.org:/cvs get -rOPENBSD_2_9 \
      src/usr.bin/sudo

    % cd src/usr.bin/sudo

    % make -f Makefile.bsd-wrapper

    % make -f Makefile.bsd-wrapper install


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC