CVE-2005-4158
CVSS4.6
发布时间 :2005-12-10 21:03:00
修订时间 :2016-12-07 22:00:20
NMCOPS    

[原文]Sudo before 1.6.8 p12, when the Perl taint flag is off, does not clear the (1) PERLLIB, (2) PERL5LIB, and (3) PERL5OPT environment variables, which allows limited local users to cause a Perl script to include and execute arbitrary library files that have the same name as library files that are included by the script.


[CNNVD]Sudo Perl环境变量处理安全性绕过漏洞(CNNVD-200512-192)

        Sudo 1.6.8 p12之前的版本,在Perl taint旗标关闭时,不会清除(1) PERLLIB、(2) PERL5LIB和(3) PERL5OPT环境变量,有限的本地用户可以使Perl脚本包含并执行与脚本包含的程序库文件具有相同名称的任意程序库文件。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:todd_miller:sudo:1.6.3_p7Todd Miller Sudo 1.6.3 p7
cpe:/a:todd_miller:sudo:1.6.3_p1
cpe:/a:todd_miller:sudo:1.6.8_p9
cpe:/a:todd_miller:sudo:1.6.3_p2
cpe:/a:todd_miller:sudo:1.6.8_p8
cpe:/a:todd_miller:sudo:1.6.3_p5
cpe:/a:todd_miller:sudo:1.6.3_p6
cpe:/a:todd_miller:sudo:1.6.5_p2
cpe:/a:todd_miller:sudo:1.6.5_p1
cpe:/a:todd_miller:sudo:1.6.3_p3
cpe:/a:todd_miller:sudo:1.6.8_p7
cpe:/a:todd_miller:sudo:1.6.3_p4
cpe:/a:todd_miller:sudo:1.6.8_p5
cpe:/a:todd_miller:sudo:1.5.8
cpe:/a:todd_miller:sudo:1.6.7Todd Miller Sudo 1.6.7
cpe:/a:todd_miller:sudo:1.5.9
cpe:/a:todd_miller:sudo:1.6.8Todd Miller Sudo 1.6.8
cpe:/a:todd_miller:sudo:1.5.6
cpe:/a:todd_miller:sudo:1.6.5Todd Miller Sudo 1.6.5
cpe:/a:todd_miller:sudo:1.5.7
cpe:/a:todd_miller:sudo:1.6.6Todd Miller Sudo 1.6.6
cpe:/a:todd_miller:sudo:1.6.8_p1
cpe:/a:todd_miller:sudo:1.6.3Todd Miller Sudo 1.6.3
cpe:/a:todd_miller:sudo:1.6.4Todd Miller Sudo 1.6.4
cpe:/a:todd_miller:sudo:1.6.1Todd Miller Sudo 1.6.1
cpe:/a:todd_miller:sudo:1.6.2Todd Miller Sudo 1.6.2
cpe:/a:todd_miller:sudo:1.6.4_p2
cpe:/a:todd_miller:sudo:1.6Todd Miller Sudo 1.6
cpe:/a:todd_miller:sudo:1.6.4_p1
cpe:/a:todd_miller:sudo:1.6.7_p5

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4158
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4158
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200512-192
(官方数据源) CNNVD

- 其它链接及资源

http://securitytracker.com/alerts/2005/Nov/1015192.html
(PATCH)  SECTRACK  1015192
http://www.debian.org/security/2006/dsa-946
(UNKNOWN)  DEBIAN  DSA-946
http://www.mandriva.com/security/advisories?name=MDKSA-2006:159
(UNKNOWN)  MANDRIVA  MDKSA-2006:159
http://www.novell.com/linux/security/advisories/2006_02_sr.html
(UNKNOWN)  SUSE  SUSE-SR:2006:002
http://www.securityfocus.com/bid/15394
(PATCH)  BID  15394
http://www.sudo.ws/sudo/alerts/perl_env.html
(VENDOR_ADVISORY)  CONFIRM  http://www.sudo.ws/sudo/alerts/perl_env.html
http://www.trustix.org/errata/2006/0002/
(UNKNOWN)  TRUSTIX  2006-0002
http://www.vupen.com/english/advisories/2005/2386
(UNKNOWN)  VUPEN  ADV-2005-2386
http://xforce.iss.net/xforce/xfdb/23102
(PATCH)  XF  sudo-perl-execute-code(23102)
https://www.ubuntu.com/usn/usn-235-1/
(UNKNOWN)  UBUNTU  USN-235-1

- 漏洞信息

Sudo Perl环境变量处理安全性绕过漏洞
中危 输入验证
2005-12-10 00:00:00 2005-12-12 00:00:00
本地  
        Sudo 1.6.8 p12之前的版本,在Perl taint旗标关闭时,不会清除(1) PERLLIB、(2) PERL5LIB和(3) PERL5OPT环境变量,有限的本地用户可以使Perl脚本包含并执行与脚本包含的程序库文件具有相同名称的任意程序库文件。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.sudo.ws/sudo/download.html
        http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.7p5-1ubuntu4.4_amd64.deb
        http://wwwnew.mandriva.com/en/downloads/
        ftp://atualizacoes.conectiva.com.br/10/RPMS/sudo-1.6.8p9-42425U10_4cl.i386.rpm

- 漏洞信息 (F49699)

Mandriva Linux Security Advisory 2006.159 (PacketStormID:F49699)
2006-09-07 00:00:00
Mandriva  mandriva.com
advisory
linux,mandriva
CVE-2005-4158,CVE-2006-0151
[点击下载]

Mandriva Linux Security Advisory MDKSA-2006-159 - Previous sudo updates were made available to sanitize certain environment variables from affecting a sudo call, such as PYTHONINSPECT, PERL5OPT, etc. While those updates were effective in addressing those specific environment variables, other variables that were not blacklisted were being made available.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2006:159
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : sudo
 Date    : August 31, 2006
 Affected: 2006.0, Corporate 3.0, Multi Network Firewall 2.0
 _______________________________________________________________________
 
 Problem Description:
 
 Previous sudo updates were made available to sanitize certain
 environment variables from affecting a sudo call, such as
 PYTHONINSPECT, PERL5OPT, etc.  While those updates were effective in
 addressing those specific environment variables, other variables that
 were not blacklisted were being made available.
 
 Debian addressed this issue by forcing sudo to use a whitlist approach
 in DSA-946-2 by arbitrarily making env_reset the default (as opposed
 to having to be enabled in /etc/sudoers).  Mandriva has opted to follow
 the same approach so now only certain variables are, by default, made
 available, such as HOME, LOGNAME, SHELL, TERM, DISPLAY, XAUTHORITY,
 XAUTHORIZATION, LANG, LANGUAGE, LC_*, and USER, as well as the SUDO_*
 variables.
 
 If other variables are required to be kept, this can be done by editing
 /etc/sudoers and using the env_keep option, such as:
 
     Defaults env_keep="FOO BAR"
 
 As well, the Corporate 3 packages are now compiled with the SECURE_PATH
 setting.
 
 Updated packages are patched to address this issue.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-4158
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-0151
 http://www.debian.org/security/2006/dsa-946
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2006.0:
 859526089cecbc00c11b0c76509f97b1  2006.0/RPMS/sudo-1.6.8p8-2.3.20060mdk.i586.rpm
 7dce7457a74d625018aee6690bcc35d7  2006.0/SRPMS/sudo-1.6.8p8-2.3.20060mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 8ab6e95323473f6f1f72c255aa4453ae  x86_64/2006.0/RPMS/sudo-1.6.8p8-2.3.20060mdk.x86_64.rpm
 7dce7457a74d625018aee6690bcc35d7  x86_64/2006.0/SRPMS/sudo-1.6.8p8-2.3.20060mdk.src.rpm

 Corporate 3.0:
 df8964b76a758340a3a283147dce03d5  corporate/3.0/RPMS/sudo-1.6.7-0.p5.2.5.C30mdk.i586.rpm
 3d4fe9dd6e7f729266af98a318be1b48  corporate/3.0/SRPMS/sudo-1.6.7-0.p5.2.5.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 f8b93aad21eb48289a537e586d3c58ae  x86_64/corporate/3.0/RPMS/sudo-1.6.7-0.p5.2.5.C30mdk.x86_64.rpm
 3d4fe9dd6e7f729266af98a318be1b48  x86_64/corporate/3.0/SRPMS/sudo-1.6.7-0.p5.2.5.C30mdk.src.rpm

 Multi Network Firewall 2.0:
 57e770ca1e0d0bf487be6b1c4691926c  mnf/2.0/RPMS/sudo-1.6.7-0.p5.2.5.M20mdk.i586.rpm
 d5a3d6889677117b6d19f953794c4ef4  mnf/2.0/SRPMS/sudo-1.6.7-0.p5.2.5.M20mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFE91BPmqjQ0CJFipgRApIhAJ45el9y07+qaXr3/b0FyVwnpuonvQCgh4Vr
IxvcoSqmpZNHvZFSEGWu2/E=
=Oehv
-----END PGP SIGNATURE-----

    

- 漏洞信息 (F42922)

Ubuntu Security Notice 235-2 (PacketStormID:F42922)
2006-01-10 00:00:00
Ubuntu  security.ubuntu.com
advisory,python
linux,ubuntu
CVE-2005-4158
[点击下载]

Ubuntu Security Notice USN-235-2 - USN-235-1 fixed a vulnerability in sudo's handling of environment variables. Tavis Ormandy noticed that sudo did not filter out the PYTHONINSPECT environment variable, so that users with the limited privilege of calling a python script with sudo could still escalate their privileges.

===========================================================
Ubuntu Security Notice USN-235-2	   January 09, 2006
sudo vulnerability
CVE-2005-4158
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

sudo

The problem can be corrected by upgrading the affected package to
version 1.6.7p5-1ubuntu4.5 (for Ubuntu 4.10), 1.6.8p5-1ubuntu2.4 (for
Ubuntu 5.04), or 1.6.8p9-2ubuntu2.3 (for Ubuntu 5.10).  In general, a
standard system upgrade is sufficient to effect the necessary changes.

Details follow:

USN-235-1 fixed a vulnerability in sudo's handling of environment
variables. Tavis Ormandy noticed that sudo did not filter out the
PYTHONINSPECT environment variable, so that users with the limited
privilege of calling a python script with sudo could still escalate
their privileges.

For reference, this is the original advisory:

  Charles Morris discovered a privilege escalation vulnerability in
  sudo.  On executing Perl scripts with sudo, various environment
  variables that affect Perl's library search path were not cleaned
  properly. If sudo is set up to grant limited sudo execution of Perl
  scripts to normal users, this could be exploited to run arbitrary
  commands as the target user.

  This security update also filters out environment variables that can
  be exploited similarly with Python, Ruby, and zsh scripts.

  Please note that this does not affect the default Ubuntu
  installation,
  or any setup that just grants full root privileges to certain users.


Updated packages for Ubuntu 4.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.7p5-1ubuntu4.5.diff.gz
      Size/MD5:    28087 c4c49fb56eaf07d8d8312e1563de869a
    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.7p5-1ubuntu4.5.dsc
      Size/MD5:      585 0dfe580569af7a6f75aeb51462d26ca6
    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.7p5.orig.tar.gz
      Size/MD5:   349785 55d503e5c35bf1ea83d38244e0242aaf

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.7p5-1ubuntu4.5_amd64.deb
      Size/MD5:   156652 4753cf309a44e54bf6138e9079f2ab30

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.7p5-1ubuntu4.5_i386.deb
      Size/MD5:   146076 2bc7039c20afd55c7c582edf41fda32c

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.7p5-1ubuntu4.5_powerpc.deb
      Size/MD5:   153628 9d11cfcfa5032bfb13e5c3e191617cdf

Updated packages for Ubuntu 5.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p5-1ubuntu2.4.diff.gz
      Size/MD5:    31718 cc1670e4bf8f650c084e18d55e190c3c
    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p5-1ubuntu2.4.dsc
      Size/MD5:      585 141818c0d2b26303249d6d52c26ce30e
    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p5.orig.tar.gz
      Size/MD5:   584832 03538d938b8593d6f1d66ec6c067b5b5

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p5-1ubuntu2.4_amd64.deb
      Size/MD5:   170814 caeb3203cb545fbe24c1a7aa96bc6458

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p5-1ubuntu2.4_i386.deb
      Size/MD5:   159028 f4eabdef51f7cfc9a113ced11357fcfa

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p5-1ubuntu2.4_powerpc.deb
      Size/MD5:   165906 6fc233ccadceec79b1549d5edc387f3e

Updated packages for Ubuntu 5.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p9-2ubuntu2.3.diff.gz
      Size/MD5:    28883 2dc82337e89f8b2ec2298e31013d041c
    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p9-2ubuntu2.3.dsc
      Size/MD5:      585 03cdee65604b21bb9c0a1a1d8a530d36
    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p9.orig.tar.gz
      Size/MD5:   585509 6d0346abd16914956bc7ea4f17fc85fb

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p9-2ubuntu2.3_amd64.deb
      Size/MD5:   172726 350f0454c379778fec471c47107428ab

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p9-2ubuntu2.3_i386.deb
      Size/MD5:   159132 127092a5fc0522ed272df38216d31acc

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p9-2ubuntu2.3_powerpc.deb
      Size/MD5:   167288 e049b18ebc0b282e513a3e20427ef4be
    

- 漏洞信息 (F42861)

Ubuntu Security Notice 235-1 (PacketStormID:F42861)
2006-01-08 00:00:00
Ubuntu  security.ubuntu.com
advisory,arbitrary,perl
linux,ubuntu
CVE-2005-4158
[点击下载]

Ubuntu Security Notice USN-235-1 - Charles Morris discovered a privilege escalation vulnerability in sudo. On executing Perl scripts with sudo, various environment variables that affect Perl's library search path were not cleaned properly. If sudo is set up to grant limited sudo execution of Perl scripts to normal users, this could be exploited to run arbitrary commands as the target user.

===========================================================
Ubuntu Security Notice USN-235-1	   January 05, 2006
sudo vulnerability
CVE-2005-4158
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

sudo

The problem can be corrected by upgrading the affected package to
version 1.6.7p5-1ubuntu4.4 (for Ubuntu 4.10), 1.6.8p5-1ubuntu2.3 (for
Ubuntu 5.04), or 1.6.8p9-2ubuntu2.2 (for Ubuntu 5.10).  In general, a
standard system upgrade is sufficient to effect the necessary changes.

Details follow:

Charles Morris discovered a privilege escalation vulnerability in
sudo.  On executing Perl scripts with sudo, various environment
variables that affect Perl's library search path were not cleaned
properly. If sudo is set up to grant limited sudo execution of Perl
scripts to normal users, this could be exploited to run arbitrary
commands as the target user.

This security update also filters out environment variables that can
be exploited similarly with Python, Ruby, and zsh scripts.

Please note that this does not affect the default Ubuntu installation,
or any setup that just grants full root privileges to certain users.


Updated packages for Ubuntu 4.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.7p5-1ubuntu4.4.diff.gz
      Size/MD5:    28048 5218c513df9c959dd313c4be22aaa25b
    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.7p5-1ubuntu4.4.dsc
      Size/MD5:      585 3f914d6d796048d161dda14c8de1e09f
    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.7p5.orig.tar.gz
      Size/MD5:   349785 55d503e5c35bf1ea83d38244e0242aaf

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.7p5-1ubuntu4.4_amd64.deb
      Size/MD5:   156626 e425b3d24d561805a976fbd860addf90

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.7p5-1ubuntu4.4_i386.deb
      Size/MD5:   146046 740822460f6711c889f331e6f63b3c3b

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.7p5-1ubuntu4.4_powerpc.deb
      Size/MD5:   153604 995c81080a1eb4b5266bae6fa3bad812

Updated packages for Ubuntu 5.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p5-1ubuntu2.3.diff.gz
      Size/MD5:    24291 cfa4cda75436030ce5c8b2a5778f3736
    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p5-1ubuntu2.3.dsc
      Size/MD5:      585 8a8e0849da19d006b46655bbfa57b593
    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p5.orig.tar.gz
      Size/MD5:   584832 03538d938b8593d6f1d66ec6c067b5b5

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p5-1ubuntu2.3_amd64.deb
      Size/MD5:   170784 1da10690d4d5a3c3623e0b20282de467

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p5-1ubuntu2.3_i386.deb
      Size/MD5:   159012 be5ccb2125b6046ddc7b7b850d32812e

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p5-1ubuntu2.3_powerpc.deb
      Size/MD5:   165848 9a2e4fbd41fc1cc8280c3a013ef3d3fb

Updated packages for Ubuntu 5.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p9-2ubuntu2.2.diff.gz
      Size/MD5:    22481 3b49d421cf10302c44e601946c029f06
    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p9-2ubuntu2.2.dsc
      Size/MD5:      585 10738797809673ab80a30ce1a2401ffd
    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p9.orig.tar.gz
      Size/MD5:   585509 6d0346abd16914956bc7ea4f17fc85fb

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p9-2ubuntu2.2_amd64.deb
      Size/MD5:   172686 466d5461ec58d669f5978ffe47e2ff1d

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p9-2ubuntu2.2_i386.deb
      Size/MD5:   159106 5a4898a7ea752ae91b9113d5d8d5751c

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p9-2ubuntu2.2_powerpc.deb
      Size/MD5:   167236 43125eeceec512ca67b03d30fc4d2484
    

- 漏洞信息

20764
sudo PERL5OPT Environment Cleaning Multiple Variable Privilege Escalation
Local Access Required Other
Loss of Integrity Workaround, Patch / RCS, Upgrade
Exploit Public Vendor Verified, Vendor Verified, Third-party Verified, Coordinated Disclosure

- 漏洞描述

sudo contain a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a user is able to run perl scripts via sudo, and the perl scripts to not have the taint flag (-T). This flaw may lead to a loss of integrity.

- 时间线

2005-11-10 Unknow
Unknow 2005-11-10

- 解决方案

Upgrade to version 1.6.8p12 or higher, as it has been reported to fix this vulnerability. An administrator can also apply the following workaround: Add 'Defaults env_delete+="PERLLIB PERL5LIB PERL5OPT"' to the top of the sudoers file to strip out the offending variables.

- 相关参考

- 漏洞作者

- 漏洞信息

Sudo Perl Environment Variable Handling Security Bypass Vulnerability
Input Validation Error 15394
No Yes
2005-11-11 12:00:00 2006-10-24 11:33:00
Charles Morris is credited with the discovery of this vulnerability.

- 受影响的程序版本

Ubuntu Ubuntu Linux 5.10 powerpc
Ubuntu Ubuntu Linux 5.10 i386
Ubuntu Ubuntu Linux 5.10 amd64
Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
Ubuntu Ubuntu Linux 4.1 ppc
Ubuntu Ubuntu Linux 4.1 ia64
Ubuntu Ubuntu Linux 4.1 ia32
Trustix Secure Linux 3.0
Trustix Secure Linux 2.2
Trustix Secure Enterprise Linux 2.0
Todd Miller Sudo 1.6.8 p9
Todd Miller Sudo 1.6.8 p8
+ OpenPKG OpenPKG 2.4
+ OpenPKG OpenPKG Current
+ Red Hat Fedora Core4
Todd Miller Sudo 1.6.8 p7
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 amd64
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
+ OpenPKG OpenPKG 2.3
Todd Miller Sudo 1.6.8 p5
+ Ubuntu Ubuntu Linux 5.0 4 powerpc
+ Ubuntu Ubuntu Linux 5.0 4 i386
+ Ubuntu Ubuntu Linux 5.0 4 amd64
Todd Miller Sudo 1.6.8 p1
+ Mandriva Linux Mandrake 10.2 x86_64
+ Mandriva Linux Mandrake 10.2
+ Mandriva Linux Mandrake 10.1 x86_64
+ Mandriva Linux Mandrake 10.1
+ OpenPKG OpenPKG 2.2
+ OpenPKG OpenPKG Current
Todd Miller Sudo 1.6.8
Todd Miller Sudo 1.6.7 p5
+ Conectiva Linux 10.0
+ Conectiva Linux 9.0
+ MandrakeSoft Corporate Server 3.0 x86_64
+ MandrakeSoft Corporate Server 3.0
+ Mandriva Linux Mandrake 10.0 AMD64
+ Mandriva Linux Mandrake 10.0
+ OpenPKG OpenPKG 2.1
+ Red Hat Fedora Core3
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
Todd Miller Sudo 1.6.7
Todd Miller Sudo 1.6.6
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Conectiva Linux 5.1
+ Conectiva Linux 5.0
+ Conectiva Linux graficas
+ Conectiva Linux ecommerce
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ Slackware Linux 8.0
Todd Miller Sudo 1.6.5 p2
+ NetBSD NetBSD 1.5.2
+ OpenBSD OpenBSD 3.1
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 alpha
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
- RedHat Linux 6.2 sparc
- RedHat Linux 6.2 i386
- RedHat Linux 6.2 alpha
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
Todd Miller Sudo 1.6.5 p1
+ Slackware Linux 8.0
Todd Miller Sudo 1.6.5
Todd Miller Sudo 1.6.4 p2
Todd Miller Sudo 1.6.4 p1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Conectiva Linux 5.1
+ Conectiva Linux 5.0
+ Conectiva Linux graficas
+ Conectiva Linux ecommerce
Todd Miller Sudo 1.6.4
+ MandrakeSoft Corporate Server 1.0.1
+ MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 7.2
+ Mandriva Linux Mandrake 7.1
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 alpha
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
- RedHat Linux 6.2 sparc
- RedHat Linux 6.2 i386
- RedHat Linux 6.2 alpha
Todd Miller Sudo 1.6.3 p7
- FreeBSD FreeBSD 4.5
- FreeBSD FreeBSD 4.4
- FreeBSD FreeBSD 4.3
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.3
+ Slackware Linux 8.0
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
Todd Miller Sudo 1.6.3 p6
+ Guardian Digital Engarde Secure Linux 1.0.1
+ Guardian Digital Engarde Secure Linux 1.0.1
+ HP Secure OS software for Linux 1.0
+ HP Secure OS software for Linux 1.0
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.1 alpha
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.0 ppc
+ S.u.S.E. Linux 7.0 ppc
+ S.u.S.E. Linux 7.0 i386
+ S.u.S.E. Linux 7.0 i386
+ S.u.S.E. Linux 7.0 alpha
+ S.u.S.E. Linux 7.0 alpha
+ S.u.S.E. Linux 7.0
+ S.u.S.E. Linux 7.0
+ Wirex Immunix OS 7.0
+ Wirex Immunix OS 7.0
Todd Miller Sudo 1.6.3 p5
Todd Miller Sudo 1.6.3 p4
+ Slackware Linux 7.1
Todd Miller Sudo 1.6.3 p3
Todd Miller Sudo 1.6.3 p2
Todd Miller Sudo 1.6.3 p1
Todd Miller Sudo 1.6.3
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
Todd Miller Sudo 1.6.2
- Debian Linux 2.2
Todd Miller Sudo 1.6.1
Todd Miller Sudo 1.6
Todd Miller Sudo 1.5.9
+ S.u.S.E. Linux 6.4 ppc
+ S.u.S.E. Linux 6.4 i386
+ S.u.S.E. Linux 6.4
Todd Miller Sudo 1.5.8
Todd Miller Sudo 1.5.7
Todd Miller Sudo 1.5.6
Mandriva Linux Mandrake 2006.0 x86_64
Mandriva Linux Mandrake 2006.0
Mandriva Linux Mandrake 10.2 x86_64
Mandriva Linux Mandrake 10.2
Mandriva Linux Mandrake 10.1 x86_64
Mandriva Linux Mandrake 10.1
MandrakeSoft Multi Network Firewall 2.0
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
MandrakeSoft Corporate Server 2.1 x86_64
MandrakeSoft Corporate Server 2.1
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
Debian Linux 3.0 sparc
Debian Linux 3.0 s/390
Debian Linux 3.0 ppc
Debian Linux 3.0 mipsel
Debian Linux 3.0 mips
Debian Linux 3.0 m68k
Debian Linux 3.0 ia-64
Debian Linux 3.0 ia-32
Debian Linux 3.0 hppa
Debian Linux 3.0 arm
Debian Linux 3.0 alpha
Debian Linux 3.0
Conectiva Linux 10.0
Todd Miller Sudo 1.6.8 p12

- 不受影响的程序版本

Todd Miller Sudo 1.6.8 p12

- 漏洞讨论

Sudo is prone to a security-bypass vulnerability that could lead to arbitrary code execution. This issue is due to an error in the application when handling the 'PERLLIB', 'PERL5LIB', and 'PERL5OPT' environment variables when tainting is ignored.

An attacker can exploit this vulnerability to bypass security restrictions and include arbitrary library files.

To exploit this vulnerability, an attacker must be able to run Perl scripts through Sudo.

- 漏洞利用

No exploit is required.

Example text and Perl code to exploit this vulnerability are provided by breno <breno@kalangolinux.org>:

- 解决方案

The vendor has addressed this issue in Sudo 1.6.8p12. Contact the vendor to obtain the appropriate updates.

Please see the referenced vendor advisories for information on obtaining and applying the appropriate updates.


Todd Miller Sudo 1.5.6

Todd Miller Sudo 1.5.7

Todd Miller Sudo 1.5.8

Todd Miller Sudo 1.5.9

Todd Miller Sudo 1.6

Todd Miller Sudo 1.6.1

Todd Miller Sudo 1.6.2

Todd Miller Sudo 1.6.3

Todd Miller Sudo 1.6.3 p1

Todd Miller Sudo 1.6.3 p5

Todd Miller Sudo 1.6.3 p4

Todd Miller Sudo 1.6.3 p7

Todd Miller Sudo 1.6.3 p6

Todd Miller Sudo 1.6.3 p2

Todd Miller Sudo 1.6.3 p3

Todd Miller Sudo 1.6.4 p2

Todd Miller Sudo 1.6.4 p1

Todd Miller Sudo 1.6.4

Todd Miller Sudo 1.6.5 p2

Todd Miller Sudo 1.6.5 p1

Todd Miller Sudo 1.6.5

Todd Miller Sudo 1.6.6

Todd Miller Sudo 1.6.7 p5

Todd Miller Sudo 1.6.7

Todd Miller Sudo 1.6.8 p9

Todd Miller Sudo 1.6.8 p5

Todd Miller Sudo 1.6.8

Todd Miller Sudo 1.6.8 p8

Todd Miller Sudo 1.6.8 p1

Todd Miller Sudo 1.6.8 p7

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站