Date: 21 June 2005
References: ESB-2005.0470 ESB-2005.0483 ESB-2005.0487
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
ESB-2005.0469 -- Sudo pathname validation vulnerability
21 June 2005
AusCERT Security Bulletin Summary
Product: Sudo versions 1.3.1 to 1.6.8p8
Operating System: UNIX variants
Impact: Increased Privileges
Execute Arbitrary Code/Commands
Access: Existing Account
Comment: This is the implementation of sudo distributed with many Unix-like
- --------------------------BEGIN INCLUDED TEXT--------------------
Subject: Sudo version 1.6.8p9 now available, fixes security issue.
From: Todd C. Miller
Date: 2005-06-20 08:10:05
Sudo version 1.6.8, patchlevel 9 is now available, which fixes a
race condition in Sudo's pathname validation. This is a security
A race condition in Sudo's command pathname handling prior to
Sudo version 1.6.8p9 that could allow a user with Sudo privileges
to run arbitrary commands.
Sudo versions affected:
Sudo versions 1.3.1 up to and including 1.6.8p8.
When a user runs a command via Sudo, the inode and device numbers
of the command are compared to those of commands with the same
basename found in the sudoers file (see the Background paragraph
for more information). When a match is found, the path to the
matching command listed in the sudoers file is stored in the
variable safe_cmnd, which is later used to execute the command.
Because the actual path executed comes from the sudoers file
and not directly from the user, Sudo should be safe from race
conditions involving symbolic links. However, if a sudoers
entry containing the pseudo-command ALL follows the user's
sudoers entry the contents of safe_cmnd will be overwritten
with the path the user specified on the command line, making
Sudo vulnerable to the aforementioned race condition.
Exploitation of the bug requires that the user be allowed to
run one or more commands via Sudo and be able to create symbolic
links in the filesystem. Furthermore, a sudoers entry giving
another user access to the ALL pseudo-command must follow the
user's sudoers entry for the race to exist.
For example, the following sudoers file is not affected by the
Whereas this one would be:
The bug is fixed in sudo 1.6.8p9.
The administrator can order the sudoers file such that all
entries granting Sudo ALL privileges precede all other entries.
This problem was brought to my attention by Charles Morris.
The reason Sudo uses the inode for command matching is to make
relative paths work and to avoid problems caused by automounters
where the path to be executed is not the same as the absolute
path to the command.
Another possible approach is to use the realpath() function to
find the true path. Sudo does not user realpath() because that
function is not present in all operating systems and is often
vulnerable to race conditions where it does exist.
The next major Sudo release will be version 1.7. For information
on what to expect in sudo 1.7, see http://www.sudo.ws/sudo/future.html
You can help speed the release of Sudo 1.7 by purchasing a support
contract or making a donation (see below).
Commercial support is available for Sudo. If your organization
uses Sudo, please consider purchasing a support contract to help
fund future Sudo development at http://www.sudo.ws/support.html
Custom enhancements to Sudo may also be contracted.
You can also help out by making a donation or "purchase" a copy
of Sudo at http://www.sudo.ws/purchase.html
Master Web Site:
Web Site Mirrors:
http://www.mirrormonster.com/sudo/ (Fremont, California, USA)
http://sudo.stikman.com/ (Los Angeles, California, USA)
http://sudo.tolix.org/ (California, USA)
http://mirage.informationwave.net/sudo/ (Fanwood, New Jersey, USA)
http://www.mrv2k.net/sudo/ (Bend, Oregon, USA)
http://sudo.rtin.bz/ (Philadelphia, Pennsylvania, USA)
http://rexem.uni.cc/sudo/ (Kaunas, Lithuania)
ftp://plier.ucar.edu/pub/sudo/ (Boulder, Colorado, USA)
ftp://ftp.cs.colorado.edu/pub/sudo/ (Boulder, Colorado, USA)
ftp://obsd.isc.org/pub/sudo/ (Redwood City, California, USA)
ftp://ftp.stikman.com/pub/sudo/ (Los Angeles, California, USA)
ftp://ftp.tux.org/pub/security/sudo/ (Beltsville, Maryland, USA)
ftp://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/sudo/ (West Lafayette, Indiana, USA)
ftp://ftp.uwsg.indiana.edu/pub/security/sudo/ (Bloomington, Indiana, USA)
ftp://ftp.rge.com/pub/admin/sudo/ (Rochester, New York, USA)
ftp://mirror.sg.depaul.edu/pub/security/sudo/ (Chicago, Illinois, USA)
ftp://sunsite.ualberta.ca/pub/Mirror/sudo/ (Alberta, Canada)
ftp://ftp.csc.cuhk.edu.hk/pub/packages/unix-tools/sudo/ (Hong Kong, China)
ftp://netmirror.org/ftp.sudo.ws/ (Frankfurt, Germany)
http://www.mirrormonster.com/sudo/dist/ (Fremont, California, USA)
http://sudo.tolix.org/ftp/ (California, USA)
http://sudo.mirror99.com/ (San Jose, California, USA)
http://www.signal42.com/mirrors/sudo_ftp/ (California, USA)
http://www.rge.com/pub/admin/sudo/ (Rochester, New York, USA)
http://probsd.org/sudoftp/ (East Coast, USA)
http://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/sudo/ (West Lafayette, Indiana, USA)
http://www.signal42.com/mirrors/sudo_ftp/ (California, USA)
http://netmirror.org/mirror/ftp.sudo.ws/ (Frankfurt, Germany)
http://mirror.mons-new-media.de/sudo_ftp/ (Frankfurt, Germany)
http://sudo.tsuren.net/dist/ (Moscow, Russian Federation)
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to firstname.lastname@example.org
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: email@example.com
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----