Sudo bash command execution
| sudo-bash-command-execution (18055) |
Description:
Sudo (superuser do) could allow a local attacker, with privileges to execute scripts written in bash, to execute arbitrary commands on the system.
Platforms Affected:
- Debian, Debian Linux 3.0
- MandrakeSoft, Mandrake Linux 10.0 AMD64
- MandrakeSoft, Mandrake Linux 10.0
- MandrakeSoft, Mandrake Linux 10.1 X86_64
- MandrakeSoft, Mandrake Linux 10.1
- MandrakeSoft, Mandrake Linux 9.2
- MandrakeSoft, Mandrake Linux 9.2 AMD64
- MandrakeSoft, Mandrake Linux Corporate Server 2.1
- MandrakeSoft, Mandrake Linux Corporate Server 2.1 X86_64
- MandrakeSoft, Mandrake Multi Network Firewall 8.2
- OpenPKG, OpenPKG 2.1
- OpenPKG, OpenPKG 2.2
- OpenPKG, OpenPKG CURRENT
- Todd C. Miller, Sudo prior to 1.6.8p2
- Trustix, Secure Linux 1.5
- Trustix, Secure Linux 2.0
- Trustix, Secure Linux 2.1
- Trustix, Secure Linux 2.2
- Turbolinux, Turbolinux 10 Desktop
- Turbolinux, Turbolinux 10 F...
- Turbolinux, Turbolinux 10 Server
- Turbolinux, Turbolinux 7 Server
- Turbolinux, Turbolinux 7 Workstation
- Turbolinux, Turbolinux 8 Server
- Turbolinux, Turbolinux 8 Workstation
- Turbolinux, Turbolinux Home
Remedy:
Upgrade to the latest version of sudo (1.6.8p2 or later), available from the Sudo Security Alert November 11, 2004. See References.
For Trustix Secure Linux:
Upgrade to the latest sudo package, as listed below. Refer to Trustix Secure Linux Security Advisory #2004-0061 for more information. See References.
Trustix Secure Linux 2.1: 1.6.8p3-0.2tr or later
Trustix Secure Linux 2.2 : 1.6.8p3-1tr or later
Trustix Secure Linux 2.0: 1.6.8p3-0.1tr or later
Trustix Secure Linux 1.5: 1.6.8p3-0.1tr or later
For Mandrake Linux:
Upgrade to the latest sudo package, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2004:133 for more information. See References.
Mandrake Linux 9.2: 1.6.7-0.p5.1.1.92mdk or later
Mandrake Linux 10.0: 1.6.7-0.p5.2.1.100mdk or later
Mandrake Linux Multi Network Firewall 8.2: 1.6.4-3.2.M82mdk or later
Mandrake Linux Corporate Server 2.1: 1.6.6-2.1.C21mdkor later
Mandrake Linux 10.1: 1.6.8p1-1.1.101mdk or later
For Ubuntu Linux:
Upgrade to the latest sudo package (1.6.7p5-1ubuntu4.1 or later), as listed in USN-28-1 November 17, 2004. See References.
For Debian GNU/Linux 3.0 (alias woody):
Upgrade to the latest sudo package (1.6.6-1.2 or later), as listed in DSA-596-1. See References.
For Turbolinux:
Upgrade to the latest sudo package, as listed below. Refer to Turbolinux Security Advisory TLSA-2005-17 for more information. See References.
Turbolinux 10 Server: 1.6.7p5-3 or later
Turbolinux Home: 1.6.7p5-3 or later
Turbolinux 10 Desktop: 1.6.6-5 00902-13 or later
Turbolinux 8 Server: 1.6.6-5 or later
Turbolinux 8 Workstation: 1.6.6-5 or later
Turbolinux 7 Server: 1.6.6-5 or later
Turbolinux 7 Workstation: 1.6.6-5 or later
For OpenPKG:
Refer to OpenPKG Security Advisory OpenPKG-SA-2005.002 for patch, upgrade, or suggested workaround information. See References.
For other distributions:
Contact your vendor for upgrade or patch information.
Consequences:
Gain Privileges
References:
- BugTraq Mailing List, Fri Nov 12 2004 - 10:52:06 CST , Sudo version 1.6.8p2 now available (fwd) at http://archives.neohapsis.com/archives/bugtraq/2004-11/0176.html.
- CIAC Information Bulletin P-042, Sudo Missing Input Santising at http://www.ciac.org/ciac/bulletins/p-042.shtml.
- Sudo Security Alert November 11, 2004 , Bash scripts run via Sudo can be subverted at http://www.sudo.ws/sudo/alerts/bash_functions.html.
- Trustix Secure Linux Security Advisory #2004-0058, Various security fixes at http://www.trustix.net/errata/2004/0058/.
- Trustix Secure Linux Security Advisory #2004-0061, Multiple vulnerabilities at http://www.trustix.net/errata/2004/0061/.
- BID-11668: GratiSoft Sudo Restricted Command Execution Bypass Vulnerability
- CVE-2004-1051: sudo before 1.6.8p2 allows local users to execute arbitrary commands by using () style environment variables to create functions that have the same name as any program within the bash script that is called without using the program's full pathname.
- DSA-596: sudo -- missing input sanitising
- MDKSA-2004:133: Updated sudo packages fix vulnerability
- OpenPKG-SA-2005.002: sudo
Reported:
Nov 12, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net
