Debian sudo perl variables allow execution of arbitrary code
| sudo-perl-execute-code (23102) |  High Risk |
Description:
Sudo (superuser do) could allow a local attacker to execute arbitrary commands. If the perl tainting option is disabled, a local attacker with sudo privileges to run a perl script could inject a specially-crafted environment variable, PERLLIB, PERL5LIB or PERL5OPT, to load malicious shared libraries and allow execution of arbitrary code with super-user privileges.
*CVSS:
| Base Score: | 4.9 |
| Access Vector: | Local |
| Access Complexity: | Low |
| Authentication: | Not Required |
| Confidentiality Impact: | Partial |
| Integrity Impact: | Partial |
| Availability Impact: | Partial |
| Temporal Score: | 3.6 |
| Exploitability: | Unproven |
| Remediation Level: | Official-Fix |
| Report Confidence: | Confirmed |
Consequences:
Gain Access
Remedy:
Upgrade to the latest version of sudo (version 1.6.8p12 or later) available from the Sudo Download Web page. See References.
For Sudo in Ubuntu Linux:
Refer to USN-235-1 and USN-235-2 for patch, upgrade, or suggested workaround information. See References.
For Debian GNU/Linux:
Refer to DSA-946-1 for patch, upgrade, or suggested workaround information. See References.
For other distributions:
Contact your vendor for upgrade or patch information.
References:
- About Sudo: Sudo Main Page.
- Sudo Download Web page: Downloading Sudo.
- Sudo Support Web page - Original Advisory: Perl scripts run via Sudo can be subverted.
- BID-15191: Todd Miller Sudo Local Privilege Escalation Vulnerability
- BID-15394: Sudo Perl Environment Variable Handling Security Bypass Vulnerability
- BID-16184: Sudo Python Environment Variable Handling Security Bypass Vulnerability
- CVE-2005-4158: Sudo before 1.6.8 p12, when the Perl taint flag is off, does not clear the (1) PERLLIB, (2) PERL5LIB, and (3) PERL5OPT environment variables, which allows limited local users to cause a Perl script to include and execute arbitrary library files that have the same name as library files that are included by the script.
- CVE-2006-0151: sudo 1.6.8 and other versions does not clear the PYTHONINSPECT environment variable, which allows limited local users to gain privileges via a Python script, a variant of CVE-2005-4158.
- DSA-946: sudo -- missing input sanitising
- MDKSA-2005:234: Updated sudo packages fix vulnerability
- MDKSA-2006:159: Updated sudo packages whitelist environments
- SA17534: Sudo Perl Environment Cleaning Privilege Escalation Vulnerability
- SA18358: Sudo Python Environment Cleaning Privilege Escalation Vulnerability
- SECTRACK ID: 1015192: Sudo Input Validation Flaw in Perl-related Environment Variables Lets Certain Local Users Execute Arbitrary Perl Code
- SUSE-SR:2006:002: SUSE Security Summary Report
- USN-235-1: sudo vulnerability
- USN-235-2: sudo vulnerability
- VUPEN/ADV-2005-2386: Sudo Perl Environment Handling Command Execution Vulnerability
Platforms Affected:
- Canonical Ubuntu 4.10
- Canonical Ubuntu 5.04
- Canonical Ubuntu 5.10
- Debian Debian Linux 3.0
- Debian Debian Linux 3.1
- Debian Debian Linux
- MandrakeSoft Mandrake Linux 10.1
- MandrakeSoft Mandrake Linux 10.1 X86_64
- MandrakeSoft Mandrake Linux 2006
- MandrakeSoft Mandrake Linux 2006 X86_64
- MandrakeSoft Mandrake Linux LE2005
- MandrakeSoft Mandrake Linux LE2005 X86_64
- MandrakeSoft Mandrake Linux Corporate Server 2.1 X86_64
- MandrakeSoft Mandrake Linux Corporate Server 2.1
- MandrakeSoft Mandrake Linux Corporate Server 3.0
- MandrakeSoft Mandrake Linux Corporate Server 3.0 X86_64
- MandrakeSoft Mandrake Multi Network Firewall 2.0
- Todd C. Miller Sudo prior to 1.6.8p12
Reported:
Nov 11, 2005
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net
* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.