CVE-2016-7076
CVSS7.2
发布时间 :2018-05-29 09:29:00
修订时间 :2018-07-09 10:21:14
NMPS    

[原文]sudo before version 1.8.18p1 is vulnerable to a bypass in the sudo noexec restriction if application run via sudo executed wordexp() C library function with a user supplied argument. A local user permitted to run such application via sudo with noexec restriction could possibly use this flaw to execute arbitrary commands with elevated privileges.


[CNNVD]CNNVD数据暂缺。


[机译]译文暂缺.

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-77 [在命令中使用的特殊元素转义处理不恰当(命令注入)]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7076
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7076
(官方数据源) NVD

- 其它链接及资源

http://rhn.redhat.com/errata/RHSA-2016-2872.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2016:2872
http://www.securityfocus.com/bid/95778
(VENDOR_ADVISORY)  BID  95778
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7076
(UNKNOWN)  CONFIRM  https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7076
https://www.sudo.ws/alerts/noexec_wordexp.html
(VENDOR_ADVISORY)  CONFIRM  https://www.sudo.ws/alerts/noexec_wordexp.html

- 漏洞信息 (F140047)

Red Hat Security Advisory 2016-2872-01 (PacketStormID:F140047)
2016-12-06 00:00:00
Red Hat  
advisory,arbitrary,local,root
linux,redhat
CVE-2016-7032,CVE-2016-7076
[点击下载]

Red Hat Security Advisory 2016-2872-01 - The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix: It was discovered that the sudo noexec restriction could have been bypassed if application run via sudo executed system(), popen(), or wordexp() C library functions with a user supplied argument. A local user permitted to run such application via sudo with noexec restriction could use these flaws to execute arbitrary commands with elevated privileges.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: sudo security update
Advisory ID:       RHSA-2016:2872-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2016-2872.html
Issue date:        2016-12-06
CVE Names:         CVE-2016-7032 CVE-2016-7076 
=====================================================================

1. Summary:

An update for sudo is now available for Red Hat Enterprise Linux 6 and Red
Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

The sudo packages contain the sudo utility which allows system
administrators to provide certain users with the permission to execute
privileged commands, which are used for system management purposes, without
having to log in as root.

Security Fix(es):

* It was discovered that the sudo noexec restriction could have been
bypassed if application run via sudo executed system(), popen(), or
wordexp() C library functions with a user supplied argument. A local user
permitted to run such application via sudo with noexec restriction could
use these flaws to execute arbitrary commands with elevated privileges.
(CVE-2016-7032, CVE-2016-7076)

These issues were discovered by Florian Weimer (Red Hat).

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1372830 - CVE-2016-7032 sudo: noexec bypass via system() and popen()
1384982 - CVE-2016-7076 sudo: noexec bypass via wordexp()

6. Package List:

Red Hat Enterprise Linux Desktop (v. 6):

Source:
sudo-1.8.6p3-25.el6_8.src.rpm

i386:
sudo-1.8.6p3-25.el6_8.i686.rpm
sudo-debuginfo-1.8.6p3-25.el6_8.i686.rpm

x86_64:
sudo-1.8.6p3-25.el6_8.x86_64.rpm
sudo-debuginfo-1.8.6p3-25.el6_8.x86_64.rpm

Red Hat Enterprise Linux Desktop Optional (v. 6):

i386:
sudo-debuginfo-1.8.6p3-25.el6_8.i686.rpm
sudo-devel-1.8.6p3-25.el6_8.i686.rpm

x86_64:
sudo-debuginfo-1.8.6p3-25.el6_8.i686.rpm
sudo-debuginfo-1.8.6p3-25.el6_8.x86_64.rpm
sudo-devel-1.8.6p3-25.el6_8.i686.rpm
sudo-devel-1.8.6p3-25.el6_8.x86_64.rpm

Red Hat Enterprise Linux HPC Node (v. 6):

Source:
sudo-1.8.6p3-25.el6_8.src.rpm

x86_64:
sudo-1.8.6p3-25.el6_8.x86_64.rpm
sudo-debuginfo-1.8.6p3-25.el6_8.x86_64.rpm

Red Hat Enterprise Linux HPC Node Optional (v. 6):

x86_64:
sudo-debuginfo-1.8.6p3-25.el6_8.i686.rpm
sudo-debuginfo-1.8.6p3-25.el6_8.x86_64.rpm
sudo-devel-1.8.6p3-25.el6_8.i686.rpm
sudo-devel-1.8.6p3-25.el6_8.x86_64.rpm

Red Hat Enterprise Linux Server (v. 6):

Source:
sudo-1.8.6p3-25.el6_8.src.rpm

i386:
sudo-1.8.6p3-25.el6_8.i686.rpm
sudo-debuginfo-1.8.6p3-25.el6_8.i686.rpm

ppc64:
sudo-1.8.6p3-25.el6_8.ppc64.rpm
sudo-debuginfo-1.8.6p3-25.el6_8.ppc64.rpm

s390x:
sudo-1.8.6p3-25.el6_8.s390x.rpm
sudo-debuginfo-1.8.6p3-25.el6_8.s390x.rpm

x86_64:
sudo-1.8.6p3-25.el6_8.x86_64.rpm
sudo-debuginfo-1.8.6p3-25.el6_8.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 6):

i386:
sudo-debuginfo-1.8.6p3-25.el6_8.i686.rpm
sudo-devel-1.8.6p3-25.el6_8.i686.rpm

ppc64:
sudo-debuginfo-1.8.6p3-25.el6_8.ppc.rpm
sudo-debuginfo-1.8.6p3-25.el6_8.ppc64.rpm
sudo-devel-1.8.6p3-25.el6_8.ppc.rpm
sudo-devel-1.8.6p3-25.el6_8.ppc64.rpm

s390x:
sudo-debuginfo-1.8.6p3-25.el6_8.s390.rpm
sudo-debuginfo-1.8.6p3-25.el6_8.s390x.rpm
sudo-devel-1.8.6p3-25.el6_8.s390.rpm
sudo-devel-1.8.6p3-25.el6_8.s390x.rpm

x86_64:
sudo-debuginfo-1.8.6p3-25.el6_8.i686.rpm
sudo-debuginfo-1.8.6p3-25.el6_8.x86_64.rpm
sudo-devel-1.8.6p3-25.el6_8.i686.rpm
sudo-devel-1.8.6p3-25.el6_8.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 6):

Source:
sudo-1.8.6p3-25.el6_8.src.rpm

i386:
sudo-1.8.6p3-25.el6_8.i686.rpm
sudo-debuginfo-1.8.6p3-25.el6_8.i686.rpm

x86_64:
sudo-1.8.6p3-25.el6_8.x86_64.rpm
sudo-debuginfo-1.8.6p3-25.el6_8.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 6):

i386:
sudo-debuginfo-1.8.6p3-25.el6_8.i686.rpm
sudo-devel-1.8.6p3-25.el6_8.i686.rpm

x86_64:
sudo-debuginfo-1.8.6p3-25.el6_8.i686.rpm
sudo-debuginfo-1.8.6p3-25.el6_8.x86_64.rpm
sudo-devel-1.8.6p3-25.el6_8.i686.rpm
sudo-devel-1.8.6p3-25.el6_8.x86_64.rpm

Red Hat Enterprise Linux Client (v. 7):

Source:
sudo-1.8.6p7-21.el7_3.src.rpm

x86_64:
sudo-1.8.6p7-21.el7_3.x86_64.rpm
sudo-debuginfo-1.8.6p7-21.el7_3.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64:
sudo-debuginfo-1.8.6p7-21.el7_3.i686.rpm
sudo-debuginfo-1.8.6p7-21.el7_3.x86_64.rpm
sudo-devel-1.8.6p7-21.el7_3.i686.rpm
sudo-devel-1.8.6p7-21.el7_3.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
sudo-1.8.6p7-21.el7_3.src.rpm

x86_64:
sudo-1.8.6p7-21.el7_3.x86_64.rpm
sudo-debuginfo-1.8.6p7-21.el7_3.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

x86_64:
sudo-debuginfo-1.8.6p7-21.el7_3.i686.rpm
sudo-debuginfo-1.8.6p7-21.el7_3.x86_64.rpm
sudo-devel-1.8.6p7-21.el7_3.i686.rpm
sudo-devel-1.8.6p7-21.el7_3.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
sudo-1.8.6p7-21.el7_3.src.rpm

aarch64:
sudo-1.8.6p7-21.el7_3.aarch64.rpm
sudo-debuginfo-1.8.6p7-21.el7_3.aarch64.rpm

ppc64:
sudo-1.8.6p7-21.el7_3.ppc64.rpm
sudo-debuginfo-1.8.6p7-21.el7_3.ppc64.rpm

ppc64le:
sudo-1.8.6p7-21.el7_3.ppc64le.rpm
sudo-debuginfo-1.8.6p7-21.el7_3.ppc64le.rpm

s390x:
sudo-1.8.6p7-21.el7_3.s390x.rpm
sudo-debuginfo-1.8.6p7-21.el7_3.s390x.rpm

x86_64:
sudo-1.8.6p7-21.el7_3.x86_64.rpm
sudo-debuginfo-1.8.6p7-21.el7_3.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

aarch64:
sudo-debuginfo-1.8.6p7-21.el7_3.aarch64.rpm
sudo-devel-1.8.6p7-21.el7_3.aarch64.rpm

ppc64:
sudo-debuginfo-1.8.6p7-21.el7_3.ppc.rpm
sudo-debuginfo-1.8.6p7-21.el7_3.ppc64.rpm
sudo-devel-1.8.6p7-21.el7_3.ppc.rpm
sudo-devel-1.8.6p7-21.el7_3.ppc64.rpm

ppc64le:
sudo-debuginfo-1.8.6p7-21.el7_3.ppc64le.rpm
sudo-devel-1.8.6p7-21.el7_3.ppc64le.rpm

s390x:
sudo-debuginfo-1.8.6p7-21.el7_3.s390.rpm
sudo-debuginfo-1.8.6p7-21.el7_3.s390x.rpm
sudo-devel-1.8.6p7-21.el7_3.s390.rpm
sudo-devel-1.8.6p7-21.el7_3.s390x.rpm

x86_64:
sudo-debuginfo-1.8.6p7-21.el7_3.i686.rpm
sudo-debuginfo-1.8.6p7-21.el7_3.x86_64.rpm
sudo-devel-1.8.6p7-21.el7_3.i686.rpm
sudo-devel-1.8.6p7-21.el7_3.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
sudo-1.8.6p7-21.el7_3.src.rpm

x86_64:
sudo-1.8.6p7-21.el7_3.x86_64.rpm
sudo-debuginfo-1.8.6p7-21.el7_3.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:
sudo-debuginfo-1.8.6p7-21.el7_3.i686.rpm
sudo-debuginfo-1.8.6p7-21.el7_3.x86_64.rpm
sudo-devel-1.8.6p7-21.el7_3.i686.rpm
sudo-devel-1.8.6p7-21.el7_3.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2016-7032
https://access.redhat.com/security/cve/CVE-2016-7076
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFYRqaEXlSAg2UNWIIRAim8AJ911lHOJS+wAeB6J6uUKy67M+1j7QCaA+Bl
WHJJ934ZNL7OsDrkaY4y5QE=
=MFFg
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息

IBM PowerKVM CVE-2016-7076 Local Command Execution Vulnerability
Input Validation Error 95778
No Yes
2017-01-25 12:00:00 2017-01-25 05:06:00
The vendor reported this issue.

- 受影响的程序版本

IBM PowerKVM 3.1
IBM PowerKVM 2.1

- 漏洞讨论

IBM PowerKVM is prone to multiple local command-execution vulnerability.

A local attacker can exploit this issue to execute arbitrary commands with elevated privileges.

IBM PowerKVM 2.1 and 3.1 are vulnerable.

- 漏洞利用

Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 解决方案

Updates are available. Please see the references or vendor advisory for more information.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站