__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN sudo Vulnerabilities [Debian Security Advisory (DSA 946-1)] January 20, 2006 23:00 GMT Number Q-107 [REVISED 12 Apr 2006] ______________________________________________________________________________ PROBLEM: Perl and Python have environment variables that specify paths to search for included files. Those paths are searched before the normal system path. The sudo program does not clear these variables before running a script. PLATFORM: Debian GNU/Linux 3.0 alias woody Debian GNU/Linux 3.1 alias sarge DAMAGE: An intruder could name a malicious library with the same name as a system library and get that library executed as root. SOLUTION: Apply the available security update. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. A local user may gain root. The user must ASSESSMENT: have privileges to sudo a Perl or Python script. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/q-107.shtml ORIGINAL BULLETIN: http://www.debian.org/security/2006/dsa-946 ADDITIONAL LINKs: Debian Security Advisory DSA-946-2 http://www.debian.org/security/2006/dsa-946-2 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2005-4158, CVE-2006-0151 ______________________________________________________________________________ REVISION HISTORY: 04/12/2006 - added a link to Debian Security Advisory DSA 946-2 for Debian GNU/Linux 3.0 alias woody and debian GNU/Linux 3.1 alias sarge. [***** Start Debian Security Advisory (DSA 946-1) *****] DSA-946-1 sudo -- missing input sanitising Date Reported: 20 Jan 2006 Affected Packages: sudo Vulnerable: Yes Security database references: In the Debian bugtracking system: Bug 342948. In Mitre's CVE dictionary: CVE-2005-4158, CVE-2006-0151. More information: It has been discovered that sudo, a privileged program, that provides limited super user privileges to specific users, passes several environment variables to the program that runs with elevated privileges. In the case of include paths (e.g. for Perl, Python, Ruby or other scripting languages) this can cause arbitrary code to be executed as privileged user if the attacker points to a manipulated version of a system library. This update alters the former behaviour of sudo and limits the number of supported environment variables to LC_*, LANG, LANGUAGE and TERM. Additional variables are only passed through when set as env_check in /etc/sudoers, which might be required for some scripts to continue to work. For the old stable distribution (woody) this problem has been fixed in version 1.6.6-1.5. For the stable distribution (sarge) this problem has been fixed in version 1.6.8p7-1.3. For the unstable distribution (sid) this problem has been fixed in version 1.6.8p12-1. We recommend that you upgrade your sudo package. For unstable "Defaults = env_reset" need to be addeed to /etc/sudoers manually. Fixed in: Debian GNU/Linux 3.0 (woody) Source: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6-1.5.dsc http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6- 1.5.diff.gz http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6.orig.tar.gz Alpha: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6- 1.5_alpha.deb ARM: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6- 1.5_arm.deb Intel IA-32: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6- 1.5_i386.deb Intel IA-64: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6- 1.5_ia64.deb HPPA: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6- 1.5_hppa.deb Motorola 680x0: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6- 1.5_m68k.deb Big endian MIPS: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6- 1.5_mips.deb Little endian MIPS: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6- 1.5_mipsel.deb PowerPC: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6- 1.5_powerpc.deb IBM S/390: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6- 1.5_s390.deb Sun Sparc: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.6- 1.5_sparc.deb Debian GNU/Linux 3.1 (sarge) Source: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7- 1.3.dsc http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7- 1.3.diff.gz http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7.orig.tar.gz Alpha: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7- 1.3_alpha.deb AMD64: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7- 1.3_amd64.deb ARM: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7- 1.3_arm.deb Intel IA-32: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7- 1.3_i386.deb Intel IA-64: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7- 1.3_ia64.deb HPPA: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7- 1.3_hppa.deb Motorola 680x0: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7- 1.3_m68k.deb Big endian MIPS: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7- 1.3_mips.deb Little endian MIPS: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7- 1.3_mipsel.deb PowerPC: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7- 1.3_powerpc.deb IBM S/390: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7- 1.3_s390.deb Sun Sparc: http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.8p7- 1.3_sparc.deb MD5 checksums of the listed files are available in the original advisory. [***** End Debian Security Advisory (DSA 946-1) *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Debian for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) Q-097: Default Administrative Password in Cisco Security Monitoring, Analysis and Response System (CS-MARS) Q-098: Ethereal Security Update Q-099: Red Hat 4 Kernel Update Q-100: Oracle Critical Patch Update Q-101: Cisco Call Manager Privilege Escalation Q-102: Red Hat 3 Kernel Update Q-103: F-Secure ZIP and RAR-archive handling Q-104: ClamAV Remote Code Execution Q-105: Apple QuickTime Vulnerabilities Q-106: kdelibs Buffer Overflow