While sudo is used to give fairly trusted users the ability to run programs with root privs, there exists a hole in the one in the RedHat contrib directory (sudo 1.5.9.p4) which allows a minimally trusted user to obtain full root access and privilege. If a user is given the opportunity to run any program, that user can fool sudo and obtain any level of privilege for any executable. Assume the user can run "/bin/treport" as listed in the sudoers file. (The actual program name does not matter.) the user copies /bin/vi to ./treport (assuming the user is in a directory in which he has write and execute priv.) the user then executes the following line: sudo ./treport /etc/shadow vi is executed with root privilege and shadow is opened. The full path of treport is not required. The correct path of treport is not required. This program should be restricted only to _very_ trusted users in the meantime. wade [mod: Note that many operations that normally require "root" will "give away" root when allowed under "sudo" with a little puzzeling. This, however, is unforgivable..... -- REW]
Wade Maxfield
1999-Nov-12 17:17 UTC
[linux-security] Re: security hole in sudo allows users full access
It appears to be the sudo package itself. sudoers had the full path to treport in it and allowed the local treport program to be executed. wade On Fri, 12 Nov 1999, R. DuFresne wrote:> > How redhat specific is this exploit? We run slackware out here, and the > slackware security list is far less open as the debian and redhat lists, > and spews out far less information then the others. > > Thanks, > > Ron DuFresne > > On Thu, 11 Nov 1999, Wade Maxfield wrote: > > > > > While sudo is used to give fairly trusted users the ability to run > > programs with root privs, there exists a hole in the one in the RedHat > > contrib directory (sudo 1.5.9.p4) which allows a minimally trusted user to > > obtain full root access and privilege. > > > > If a user is given the opportunity to run any program, that user can > > fool sudo and obtain any level of privilege for any executable. > > > > Assume the user can run "/bin/treport" as listed in the sudoers file. > > (The actual program name does not matter.) > > > > the user copies /bin/vi to ./treport (assuming the user is in a > > directory in which he has write and execute priv.) the user then executes > > the following line: > > > > sudo ./treport /etc/shadow > > > > vi is executed with root privilege and shadow is opened. The full path > > of treport is not required. The correct path of treport is not required. > > > > This program should be restricted only to _very_ trusted users in the > > meantime. > > > > > > wade > > > > [mod: Note that many operations that normally require "root" will > > "give away" root when allowed under "sudo" with a little puzzeling. > > This, however, is unforgivable..... -- REW] > > > > > > -- > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > admin & senior consultant: darkstar.sysinfo.com > http://darkstar.sysinfo.com > > "Cutting the space budget really restores my faith in humanity. It > eliminates dreams, goals, and ideals and lets us get straight to the > business of hate, debauchery, and self-annihilation." > -- Johnny Hart > > testing, only testing, and damn good at it too! >
Cy Schubert - ITSD Open Systems Group
1999-Nov-13 16:40 UTC
[linux-security] Re: security hole in sudo allows users full access
In message <Pine.LNX.4.10.9911112126510.13656-100000@one.ctelcom.net>, Wade Max field writes:> > While sudo is used to give fairly trusted users the ability to run > programs with root privs, there exists a hole in the one in the RedHat > contrib directory (sudo 1.5.9.p4) which allows a minimally trusted user to > obtain full root access and privilege. > > If a user is given the opportunity to run any program, that user can > fool sudo and obtain any level of privilege for any executable. > > Assume the user can run "/bin/treport" as listed in the sudoers file. > (The actual program name does not matter.) > > the user copies /bin/vi to ./treport (assuming the user is in a > directory in which he has write and execute priv.) the user then executes > the following line: > > sudo ./treport /etc/shadow > > vi is executed with root privilege and shadow is opened. The full path > of treport is not required. The correct path of treport is not required. > > This program should be restricted only to _very_ trusted users in the > meantime.To fix this reconfigure sudo with --with-ignore-dot or --with-secure-path. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Sun/DEC Team, UNIX Group Internet: Cy.Schubert@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Province of BC "e**(i*pi)+1=0"