FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

sudo -- Privilege escalation with sudoedit

Affected packages
sudo < 1.7.2.6

Details

VuXML ID 1a9f678d-48ca-11df-85f8-000c29a67389
Discovery 2010-04-09
Entry 2010-04-15

Todd Miller reports:

Sudo's command matching routine expects actual commands to include one or more slash ('/') characters. The flaw is that sudo's path resolution code did not add a "./" prefix to commands found in the current working directory. This creates an ambiguity between a "sudoedit" command found in the cwd and the "sudoedit" pseudo-command in the sudoers file. As a result, a user may be able to run an arbitrary command named "sudoedit" in the current working directory. For the attack to be successful, the PATH environment variable must include "." and may not include any other directory that contains a "sudoedit" command.

References

CVE Name CVE-2010-1163
URL http://www.sudo.ws/pipermail/sudo-announce/2010-April/000093.html
URL http://www.sudo.ws/sudo/alerts/sudoedit_escalate2.html