X-RDate: Mon, 26 Jan 1998 10:25:14 +0500 (ESK)
Date: Mon, 12 Jan 1998 12:29:09 -0500
From: osiris@courier.cb.lucent.com
To: best-of-security@cyber.com.au
Subject: BoS: hole in sudo for MP-RAS.
There is a bug in sudo versions (at least) 1.5.2 and 1.5.3 on NCR's MP-RAS
that makes it trivial to bypass sudo's restrictions. I reported this to
the sudo-bugs address given in the source on 12/23/97, but never heard back,
so screw 'em. It is important to note that MP-RAS is one of the platforms
listed in the RUNSON file included with the distribution, so there are
probably many people running this; I imagine you will want to reconsider it
if you are one of them.
Basically, if you define a command that a user is not allowed to run, they
will still be allowed to run it if they cd to the directory containing the
command and preface it with ./. Here's an example:
/da8 atlas> sudo date
Sorry, user osiris is not allowed to execute "/usr/bin/date" as root on atlas.
/da8 atlas> sudo /bin/date
Sorry, user osiris is not allowed to execute "/bin/date" as root on atlas.
/da8 atlas> cd /usr/bin
/usr/bin atlas> sudo ./date
Mon Jan 12 12:15:34 EST 1998
I'm not sure if this problem affects any other platforms. I believe HP-UX
9.04 at least is safe.
--jml
Date: Mon, 12 Jan 1998 18:54:13 -0800
Reply-To: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca>
Sender: avalon
>From: Cy Schubert - ITSD Open Systems Group <cschuber@UUMAIL.GOV.BC.CA>
Subject: Re: hole in sudo for MP-RAS.
X-To: "Todd C. Miller" <Todd.Miller@courtesan.com>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Mon, 12 Jan 1998 16:28:01 MST."
<199801122328.QAA16120@xerxes.courtesan.com>
Approved: darrenr@cyber.com.au
X-Originally-To: To: BUGTRAQ@NETSPACE.ORG
X-Originated-From: From: osiris@COURIER.CB.LUCENT.COM
> As this seems to only affect that one OS, I'm not sure I would call
> it a bug in sudo. When this was reported for 1.5.2 I took a look
> but couldn't find any way to reproduce it (and I don't have access
> to the OS in question).
I've been able to reproduce the exploit using cu-sudo 1.5.3 under DEC UNIX
4.0B and FreeBSD 2.2.5. After looking at the code the bug can be exploited on
any platform.
Here is a patch to fix the problem, assuming your operating system of choice
supports realpath(3). *BSD, Linux, Solaris, SunOS, DEC UNIX, AIX, and DG/UX
should have no problem with this patch.
diff -ur sudo.v1.5.3.orig/find_path.c sudo.v1.5.3/find_path.c
--- sudo.v1.5.3.orig/find_path.c Wed Nov 13 18:37:22 1996
+++ sudo.v1.5.3/find_path.c Mon Jan 12 17:55:43 1998
@@ -118,7 +118,11 @@
* the error is "not found" -- this way we get the correct error.
*/
if (strchr(file, '/')) {
- (void) strcpy(command, file);
+ if (realpath(file, command) == NULL) {
+ (void) fprintf(stderr, "%s: %s", Argv[0], file);
+ perror("");
+ exit(1);
+ }
if (sudo_goodpath(command)) {
return(command);
} else {
>
> - todd
>
Regards, Phone: (250)387-8437
Cy Schubert Fax: (250)387-5766
UNIX Support OV/VM: BCSC02(CSCHUBER)
ITSD BITNET: CSCHUBER@BCSC02.BITNET
Government of BC Internet: cschuber@uumail.gov.bc.ca
Cy.Schubert@gems8.gov.bc.ca
"Quit spooling around, JES do it."