Debian sudo perl variables allow execution of arbitrary code
| sudo-perl-execute-code (23102) |  High Risk |
Description:
Sudo (superuser do) could allow a local attacker to execute arbitrary commands. If the perl tainting option is disabled, a local attacker with sudo privileges to run a perl script could inject a specially-crafted environment variable, PERLLIB, PERL5LIB or PERL5OPT, to load malicious shared libraries and allow execution of arbitrary code with super-user privileges.
Platforms Affected:
- Canonical, Ubuntu 4.10
- Canonical, Ubuntu 5.04
- Canonical, Ubuntu 5.10
- Debian, Debian Linux 3.0
- Debian, Debian Linux 3.1
- Debian, Debian Linux
- MandrakeSoft, Mandrake Linux 10.1 X86_64
- MandrakeSoft, Mandrake Linux 10.1
- MandrakeSoft, Mandrake Linux 2006
- MandrakeSoft, Mandrake Linux 2006 X86_64
- MandrakeSoft, Mandrake Linux LE2005 X86_64
- MandrakeSoft, Mandrake Linux LE2005
- MandrakeSoft, Mandrake Linux Corporate Server 2.1
- MandrakeSoft, Mandrake Linux Corporate Server 2.1 X86_64
- MandrakeSoft, Mandrake Linux Corporate Server 3.0
- MandrakeSoft, Mandrake Linux Corporate Server 3.0 X86_64
- MandrakeSoft, Mandrake Multi Network Firewall 2.0
- Todd C. Miller, Sudo prior to 1.6.8p12
Remedy:
Upgrade to the latest version of sudo (version 1.6.8p12 or later) available from the Sudo Download Web page. See References.
For Sudo in Ubuntu Linux:
Refer to USN-235-1 and USN-235-2 for patch, upgrade, or suggested workaround information. See References.
For Debian GNU/Linux:
Refer to DSA-946-1 for patch, upgrade, or suggested workaround information. See References.
For other distributions:
Contact your vendor for upgrade or patch information.
Consequences:
Gain Access
References:
- About Sudo, Sudo Main Page at http://www.sudo.ws/.
- Sudo Download Web page, Downloading Sudo at http://www.sudo.ws/sudo/download.html.
- Sudo Support Web page - Original Advisory, Perl scripts run via Sudo can be subverted at http://www.sudo.ws/sudo/alerts/perl_env.html.
- BID-15191: Todd Miller Sudo Local Privilege Escalation Vulnerability
- BID-15394: Sudo Perl Environment Variable Handling Security Bypass Vulnerability
- BID-16184: Sudo Python Environment Variable Handling Security Bypass Vulnerability
- CVE-2005-4158: Sudo before 1.6.8 p12, when the Perl taint flag is off, does not clear the (1) PERLLIB, (2) PERL5LIB, and (3) PERL5OPT environment variables, which allows limited local users to cause a Perl script to include and execute arbitrary library files that have the same name as library files that are included by the script.
- CVE-2006-0151: sudo 1.6.8 and other versions does not clear the PYTHONINSPECT environment variable, which allows limited local users to gain privileges via a Python script, a variant of CVE-2005-4158.
- DSA-946: sudo -- missing input sanitising
- MDKSA-2005:234: Updated sudo packages fix vulnerability
- MDKSA-2006:159: Updated sudo packages whitelist environments
- SA17534: Sudo Perl Environment Cleaning Privilege Escalation Vulnerability
- SA18358: Sudo Python Environment Cleaning Privilege Escalation Vulnerability
- SECTRACK ID: 1015192: Sudo Input Validation Flaw in Perl-related Environment Variables Lets Certain Local Users Execute Arbitrary Perl Code
- SUSE-SR:2006:002: SUSE Security Summary Report
- USN-235-1: sudo vulnerability
- USN-235-2: sudo vulnerability
- VUPEN/ADV-2005-2386: Sudo Perl Environment Handling Command Execution Vulnerability
Reported:
Nov 11, 2005
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net