Vulnerabilities > CVE-2004-1051

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE

Summary

sudo before 1.6.8p2 allows local users to execute arbitrary commands by using "()" style environment variables to create functions that have the same name as any program within the bash script that is called without using the program's full pathname.

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-596.NASL
    descriptionLiam Helmer noticed that sudo, a program that provides limited super user privileges to specific users, does not clean the environment sufficiently. Bash functions and the CDPATH variable are still passed through to the program running as privileged user, leaving possibilities to overload system routines. These vulnerabilities can only be exploited by users who have been granted limited super user privileges.
    last seen2020-06-01
    modified2020-06-02
    plugin id15825
    published2004-11-24
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15825
    titleDebian DSA-596-2 : sudo - missing input sanitising
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-596. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(15825);
      script_version("1.21");
      script_cvs_date("Date: 2019/08/02 13:32:18");
    
      script_cve_id("CVE-2004-1051");
      script_xref(name:"DSA", value:"596");
    
      script_name(english:"Debian DSA-596-2 : sudo - missing input sanitising");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Liam Helmer noticed that sudo, a program that provides limited super
    user privileges to specific users, does not clean the environment
    sufficiently. Bash functions and the CDPATH variable are still passed
    through to the program running as privileged user, leaving
    possibilities to overload system routines. These vulnerabilities can
    only be exploited by users who have been granted limited super user
    privileges."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=281665"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2004/dsa-596"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the sudo package.
    
    For the stable distribution (woody) these problems have been fixed in
    version 1.6.6-1.3."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:sudo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2004/11/24");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/11/24");
      script_set_attribute(attribute:"vuln_publication_date", value:"2004/11/12");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.0", prefix:"sudo", reference:"1.6.6-1.3")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2004-133.NASL
    descriptionLiam Helmer discovered a flow in sudo
    last seen2020-06-01
    modified2020-06-02
    plugin id15738
    published2004-11-17
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15738
    titleMandrake Linux Security Advisory : sudo (MDKSA-2004:133)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2004:133. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(15738);
      script_version ("1.18");
      script_cvs_date("Date: 2019/08/02 13:32:47");
    
      script_cve_id("CVE-2004-1051");
      script_xref(name:"MDKSA", value:"2004:133");
    
      script_name(english:"Mandrake Linux Security Advisory : sudo (MDKSA-2004:133)");
      script_summary(english:"Checks rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Mandrake Linux host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Liam Helmer discovered a flow in sudo's environment sanitizing. This
    flaw could allow a malicious users with permission to run a shell
    script that uses the bash shell to run arbitrary commands.
    
    The problem is fixed in sudo 1.6.8p2; the provided packages have been
    patched to correct the issue."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.sudo.ws/sudo/alerts/bash_functions.html"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected sudo package.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:sudo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2004/11/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/11/17");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK10.0", reference:"sudo-1.6.7-0.p5.2.1.100mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK10.1", reference:"sudo-1.6.8p1-1.1.101mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK9.2", reference:"sudo-1.6.7-0.p5.1.1.92mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2005-005.NASL
    descriptionThe remote host is missing Security Update 2005-005. This security update contains fixes for the following applications : - Apache - AppKit - AppleScript - Bluetooth - Directory Services - Finder - Foundation - HelpViewer - LDAP - libXpm - lukemftpd - NetInfo - ServerAdmin - sudo - Terminal - VPN These programs have multiple vulnerabilities that could allow a remote attacker to execute arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id18189
    published2005-05-03
    reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/18189
    titleMac OS X Multiple Vulnerabilities (Security Update 2005-005)

Statements

contributorMark J Cox
lastmodified2006-08-30
organizationRed Hat
statementWe do not consider this to be a security issue: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=139478#c1