=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN343
_____________________________________________________________________

DATE                      : 08/09/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Sudo versions 1.7.x prior to 1.7.4p4.

======================================================================
http://www.sudo.ws/sudo/alerts/runas_group.html
______________________________________________________________________

Flaw in Runas group matching

Summary:
Beginning with sudo version 1.7.0 it has been possible to grant permission
to run a command using a specified group via sudo -g option (run as group).
A flaw exists in the logic that matches Runas groups in the sudoers file
when the -u option is also specified (run as user). This flaw results in
a positive match for the user specified via -u so long as the group
specified via -g is allowed by the sudoers file.


Sudo versions affected:
Sudo 1.7.0 through 1.7.4p3.


CVE ID:
This vulnerability has been assigned CVE CVE-2010-2956 in the Common
Vulnerabilities and Exposures database.


Details:
It is possible to specify a lists of users and groups that a command may
be run as in a sudoers file entry. For example, given the following sudoers
entry:

    millert ALL = (lp : operator) /usr/bin/lpq, /usr/bin/lprm, /usr/bin/lpc

user millert may run /usr/bin/lpq, /usr/bin/lprm or /usr/bin/lpc as user lp,
group operator or some combination thereof. In this case, the following
would all be allowed.

    $ sudo -g operator /usr/bin/lpc
    $ sudo -u lp /usr/bin/lprm
    $ sudo -g operator -u lp /usr/bin/lpq

However, due to a flaw in the matching logic, it is possible for millert
to run a listed command as any user so long as an allowed group is also
specified. For instance,

    $ sudo -g operator -u root /usr/bin/lpq

would be allowed, even though the user should not have permission to run
commands as root.


Impact:
Exploitation of the flaw requires that Sudo be configured with sudoers entries
that contain a Runas group. Entries that do not contain a Runas group, or
only contain a Runas user are not affected.

For example, the following entry is affected because it contains both a Runas
user and a Runas group:

    millert ALL = (lp : operator) /usr/bin/lpq, /usr/bin/lprm, /usr/bin/lpc

Whereas this one only contains a Runas user and is not affected:

    millert ALL = (lp) /usr/bin/lpq, /usr/bin/lprm, /usr/bin/lpc


Fix:
The flaw is fixed in sudo 1.7.4p4.


Credit:
I would like to thank Markus Wuethrich of Swiss Post - PostFinance for
reporting this issue via Red Hat.


======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================