Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > June 2005 > OpenBSD Security Advisory: Sudo

June 2005

OpenBSD Security Advisory: Sudo

ID: 00506
Ref: 466/2005
Date: 21 June 2005:14:25:13
Version: 1
Title: OpenBSD Security Advisory: Sudo
Abstract:
Vendors affected: OpenBSD
Operating systems affected: OpenBSD
Applications affected: OpenBSD
Title
=====

OpenBSD Security Advisory: Sudo

Detail
======

Exploitation of the bug requires that the user be allowed to
run one or more commands via Sudo and be able to create symbolic
links in the filesystem. Furthermore, a sudoers entry giving
another user access to the ALL pseudo-command must follow the
user's sudoers entry for the race to exist.





Summary:
A race condition in Sudo's command pathname handling could allow
a user with Sudo privileges to run arbitrary commands.

Details:
When a user runs a command via Sudo, the inode and device numbers
of the command are compared to those of commands with the same
basename found in the sudoers file (see the Background paragraph
for more information). When a match is found, the path to the
matching command listed in the sudoers file is stored in the
variable safe_cmnd, which is later used to execute the command.
Because the actual path executed comes from the sudoers file
and not directly from the user, Sudo should be safe from race
conditions involving symbolic links. However, if a sudoers
entry containing the pseudo-command ALL follows the user's
sudoers entry the contents of safe_cmnd will be overwritten
with the path the user specified on the command line, making
Sudo vulnerable to the aforementioned race condition.

Impact:
Exploitation of the bug requires that the user be allowed to
run one or more commands via Sudo and be able to create symbolic
links in the filesystem. Furthermore, a sudoers entry giving
another user access to the ALL pseudo-command must follow the
user's sudoers entry for the race to exist.

For example, the following sudoers file is not affected by the
bug:

root server=ALL
someuser server=/bin/echo

Whereas this one would be:

someuser server=/bin/echo
root server=ALL

Fix:
The problem has been fixed in OpenBSD-current as well as the
3.6 and 3.7 -stable branches. Patches for OpenBSD 3.6 and 3.7
are also available:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/018_sudo.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.7/common/003_sudo.patch


Workaround:
The administrator can order the sudoers file such that all
entries granting Sudo ALL privileges precede all other entries.

Credit:
This problem was brought to my attention by Charles Morris.

Background:
The reason Sudo uses the inode for command matching is to make
relative paths work and to avoid problems caused by automounters
where the path to be executed is not the same as the absolute
path to the command.

Another possible approach is to use the realpath() function to
find the true path. Sudo does not user realpath() because that
function is not present in all operating systems and is often
vulnerable to race conditions where it does exist.
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |