sudo -- Privilege escalation with sudoedit

ID 1A9F678D-48CA-11DF-85F8-000C29A67389
Type freebsd
Reporter FreeBSD
Modified 2010-04-09T00:00:00


Todd Miller reports:

Sudo's command matching routine expects actual commands to include one or more slash ('/') characters. The flaw is that sudo's path resolution code did not add a "./" prefix to commands found in the current working directory. This creates an ambiguity between a "sudoedit" command found in the cwd and the "sudoedit" pseudo-command in the sudoers file. As a result, a user may be able to run an arbitrary command named "sudoedit" in the current working directory. For the attack to be successful, the PATH environment variable must include "." and may not include any other directory that contains a "sudoedit" command.