=====================================================================
                                  CERT-Renater

                       Note d'Information No. 2005/VULN391
_____________________________________________________________________

DATE                      : 21/06/2005

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running sudo.

======================================================================

Summary:
     A race condition in Sudo's command pathname handling could allow
     a user with Sudo privileges to run arbitrary commands.

Details:
     When a user runs a command via Sudo, the inode and device numbers
     of the command are compared to those of commands with the same
     basename found in the sudoers file (see the Background paragraph
     for more information).  When a match is found, the path to the
     matching command listed in the sudoers file is stored in the
     variable safe_cmnd,  which is later used to execute the command.
     Because the actual path executed comes from the sudoers file
     and not directly from the user, Sudo should be safe from race
     conditions involving symbolic links.  However, if a sudoers
     entry containing the pseudo-command ALL follows the user's
     sudoers entry the contents of safe_cmnd will be overwritten
     with the path the user specified on the command line, making
     Sudo vulnerable to the aforementioned race condition.

Impact:
     Exploitation of the bug requires that the user be allowed to
     run one or more commands via Sudo and be able to create symbolic
     links in the filesystem.  Furthermore, a sudoers entry giving
     another user access to the ALL pseudo-command must follow the
     user's sudoers entry for the race to exist.

     For example, the following sudoers file is not affected by the
     bug:

	root		server=ALL
	someuser	server=/bin/echo

     Whereas this one would be:

	someuser	server=/bin/echo
	root		server=ALL

Fix:
     The problem has been fixed in OpenBSD-current as well as the
     3.6 and 3.7 -stable branches.  Patches for OpenBSD 3.6 and 3.7
     are also available:

     ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.6/common/018_sudo.patch
     ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.7/common/003_sudo.patch


Workaround:
     The administrator can order the sudoers file such that all
     entries granting Sudo ALL privileges precede all other entries.

Credit:
     This problem was brought to my attention by Charles Morris.

Background:
     The reason Sudo uses the inode for command matching is to make
     relative paths work and to avoid problems caused by automounters
     where the path to be executed is not the same as the absolute
     path to the command.

     Another possible approach is to use the realpath() function to
     find the true path.  Sudo does not user realpath() because that
     function is not present in all operating systems and is often
     vulnerable to race conditions where it does exist.


======================================================================

         =========================================================
         Les serveurs de référence du CERT-Renater
         http://www.urec.fr/securite
         http://www.cru.fr/securite
         http://www.renater.fr
         =========================================================
         + CERT-RENATER          | tel : 01-53-94-20-44          +
         + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
         + 75013 Paris           | email: certsvp@renater.fr     +
         =========================================================