Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusUbuntu Security Notice (C) 2006-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.UBUNTU_USN-235-2.NASL
HistoryJan 21, 2006 - 12:00 a.m.

Ubuntu 4.10 / 5.04 / 5.10 : sudo vulnerability (USN-235-2)

2006-01-2100:00:00
Ubuntu Security Notice (C) 2006-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.
www.tenable.com
19
JSON

USN-235-1 fixed a vulnerability in sudo’s handling of environment variables. Tavis Ormandy noticed that sudo did not filter out the PYTHONINSPECT environment variable, so that users with the limited privilege of calling a python script with sudo could still escalate their privileges.

For reference, this is the original advisory :

Charles Morris discovered a privilege escalation vulnerability in sudo. On executing Perl scripts with sudo, various environment variables that affect Perl’s library search path were not cleaned properly. If sudo is set up to grant limited sudo execution of Perl scripts to normal users, this could be exploited to run arbitrary commands as the target user.

This security update also filters out environment variables that can be exploited similarly with Python, Ruby, and zsh scripts.

Please note that this does not affect the default Ubuntu installation, or any setup that just grants full root privileges to certain users.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-235-2. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(20780);
  script_version("1.13");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");

  script_cve_id("CVE-2005-4158");
  script_xref(name:"USN", value:"235-2");

  script_name(english:"Ubuntu 4.10 / 5.04 / 5.10 : sudo vulnerability (USN-235-2)");
  script_summary(english:"Checks dpkg output for updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Ubuntu host is missing a security-related patch."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"USN-235-1 fixed a vulnerability in sudo's handling of environment
variables. Tavis Ormandy noticed that sudo did not filter out the
PYTHONINSPECT environment variable, so that users with the limited
privilege of calling a python script with sudo could still escalate
their privileges.

For reference, this is the original advisory :

Charles Morris discovered a privilege escalation vulnerability in
sudo. On executing Perl scripts with sudo, various environment
variables that affect Perl's library search path were not cleaned
properly. If sudo is set up to grant limited sudo execution of Perl
scripts to normal users, this could be exploited to run arbitrary
commands as the target user.

This security update also filters out environment variables
that can be exploited similarly with Python, Ruby, and zsh
scripts.

Please note that this does not affect the default Ubuntu
installation, or any setup that just grants full root
privileges to certain users.

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(attribute:"solution", value:"Update the affected sudo package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:sudo");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:4.10");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:5.04");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:5.10");

  script_set_attribute(attribute:"patch_publication_date", value:"2006/01/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/21");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2006-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("misc_func.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! ereg(pattern:"^(4\.10|5\.04|5\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 4.10 / 5.04 / 5.10", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

flag = 0;

if (ubuntu_check(osver:"4.10", pkgname:"sudo", pkgver:"1.6.7p5-1ubuntu4.5")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"sudo", pkgver:"1.6.8p5-1ubuntu2.4")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"sudo", pkgver:"1.6.8p9-2ubuntu2.3")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "sudo");
}
VendorProductVersionCPE
canonicalubuntu_linuxsudop-cpe:/a:canonical:ubuntu_linux:sudo
canonicalubuntu_linux4.10cpe:/o:canonical:ubuntu_linux:4.10
canonicalubuntu_linux5.04cpe:/o:canonical:ubuntu_linux:5.04
canonicalubuntu_linux5.10cpe:/o:canonical:ubuntu_linux:5.10

Related

debiancve 2
cve 2
ubuntu 2
nessus 4
ubuntucve 2
securityvulns 1
openvas 4
prion 1
debian 4
debiancve
debiancve
CVE-2005-4158
2005-12-11 02:03:00
CVE-2006-0151
2006-01-09 23:03:00
cve
cve
CVE-2005-4158
2005-12-11 02:03:00
CVE-2006-0151
2006-01-09 23:03:00
ubuntu
ubuntu
sudo vulnerability
2006-01-09 00:00:00
sudo vulnerability
2006-01-06 00:00:00
nessus
nessus
Ubuntu 4.10 / 5.04 / 5.10 : sudo vulnerability (USN-235-1)
2006-01-21 00:00:00
Mandrake Linux Security Advisory : sudo (MDKSA-2005:234)
2006-01-15 00:00:00
Debian DSA-946-2 : sudo - missing input sanitising
2006-10-14 00:00:00
ubuntucve
ubuntucve
CVE-2005-4158
2005-12-11 00:00:00
CVE-2006-0151
2006-01-09 00:00:00
securityvulns
securityvulns
[Full-disclosure] [USN-235-2] sudo vulnerability
2006-01-09 00:00:00
openvas
openvas
Debian Security Advisory DSA 946-1 (sudo)
2008-01-17 00:00:00
Debian Security Advisory DSA 946-2 (sudo)
2008-01-17 00:00:00
Debian Security Advisory DSA 946-1 (sudo)
2008-01-17 00:00:00
prion
prion
Code injection
2006-01-09 23:03:00
debian
debian
[SECURITY] [DSA 946-1] New sudo packages fix privilege escalation
2006-01-20 10:24:04
[SECURITY] [DSA 946-2] New sudo packages fix privilege escalation
2006-04-08 16:09:06
[SECURITY] [DSA 946-2] New sudo packages fix privilege escalation
2006-04-08 00:00:00
JSON
Related for UBUNTU_USN-235-2.NASL
debiancve2cve2ubuntu2nessus4ubuntucve2securityvulns1openvas4prion1debian4