Vulnerabilities > CVE-2005-4158 - Unspecified vulnerability in Todd Miller Sudo
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Sudo before 1.6.8 p12, when the Perl taint flag is off, does not clear the (1) PERLLIB, (2) PERL5LIB, and (3) PERL5OPT environment variables, which allows limited local users to cause a Perl script to include and execute arbitrary library files that have the same name as library files that are included by the script.
Vulnerable Configurations
Exploit-Db
description Sudo 1.6.x Environment Variable Handling Security Bypass Vulnerability (2). CVE-2005-4158. Local exploit for linux platform id EDB-ID:27057 last seen 2016-02-03 modified 2006-01-09 published 2006-01-09 reporter Breno Silva Pinto source https://www.exploit-db.com/download/27057/ title Sudo 1.6.x Environment Variable Handling Security Bypass Vulnerability 2 description Sudo 1.6.x Environment Variable Handling Security Bypass Vulnerability (1). CVE-2005-4158. Local exploit for linux platform id EDB-ID:27056 last seen 2016-02-03 modified 2006-01-09 published 2006-01-09 reporter Breno Silva Pinto source https://www.exploit-db.com/download/27056/ title Sudo 1.6.x Environment Variable Handling Security Bypass Vulnerability 1 description Sudo Perl 1.6.x Environment Variable Handling Security Bypass Vulnerability. CVE-2005-4158. Local exploit for linux platform id EDB-ID:26498 last seen 2016-02-03 modified 2005-11-11 published 2005-11-11 reporter Charles Morris source https://www.exploit-db.com/download/26498/ title Sudo Perl 1.6.x Environment Variable Handling Security Bypass Vulnerability
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-159.NASL description Previous sudo updates were made available to sanitize certain environment variables from affecting a sudo call, such as PYTHONINSPECT, PERL5OPT, etc. While those updates were effective in addressing those specific environment variables, other variables that were not blacklisted were being made available. Debian addressed this issue by forcing sudo to use a whitlist approach in DSA-946-2 by arbitrarily making env_reset the default (as opposed to having to be enabled in /etc/sudoers). Mandriva has opted to follow the same approach so now only certain variables are, by default, made available, such as HOME, LOGNAME, SHELL, TERM, DISPLAY, XAUTHORITY, XAUTHORIZATION, LANG, LANGUAGE, LC_*, and USER, as well as the SUDO_* variables. If other variables are required to be kept, this can be done by editing /etc/sudoers and using the env_keep option, such as : Defaults env_keep= last seen 2020-06-01 modified 2020-06-02 plugin id 23903 published 2006-12-16 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/23903 title Mandrake Linux Security Advisory : sudo (MDKSA-2006:159) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2006:159. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(23903); script_version ("1.16"); script_cvs_date("Date: 2019/08/02 13:32:48"); script_cve_id("CVE-2005-4158", "CVE-2006-0151"); script_xref(name:"DSA", value:"946"); script_xref(name:"MDKSA", value:"2006:159"); script_name(english:"Mandrake Linux Security Advisory : sudo (MDKSA-2006:159)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Mandrake Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "Previous sudo updates were made available to sanitize certain environment variables from affecting a sudo call, such as PYTHONINSPECT, PERL5OPT, etc. While those updates were effective in addressing those specific environment variables, other variables that were not blacklisted were being made available. Debian addressed this issue by forcing sudo to use a whitlist approach in DSA-946-2 by arbitrarily making env_reset the default (as opposed to having to be enabled in /etc/sudoers). Mandriva has opted to follow the same approach so now only certain variables are, by default, made available, such as HOME, LOGNAME, SHELL, TERM, DISPLAY, XAUTHORITY, XAUTHORIZATION, LANG, LANGUAGE, LC_*, and USER, as well as the SUDO_* variables. If other variables are required to be kept, this can be done by editing /etc/sudoers and using the env_keep option, such as : Defaults env_keep='FOO BAR' As well, the Corporate 3 packages are now compiled with the SECURE_PATH setting. Updated packages are patched to address this issue." ); script_set_attribute(attribute:"solution", value:"Update the affected sudo package."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:sudo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2006"); script_set_attribute(attribute:"patch_publication_date", value:"2006/08/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/12/16"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2006.0", reference:"sudo-1.6.8p8-2.3.20060mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-234.NASL description Charles Morris discovered a vulnerability in sudo versions prior to 1.6.8p12 where, when the perl taint flag is off, sudo does not clear the PERLLIB, PERL5LIB, and PERL5OPT environment variables, which could allow limited local users to cause a perl script to include and execute arbitrary library files that have the same name as library files that included by the script. In addition, other environment variables have been included in the patch that remove similar environment variables that could be used in python and ruby, scripts, among others. The updated packages have been patched to correct this problem. last seen 2020-06-01 modified 2020-06-02 plugin id 20465 published 2006-01-15 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20465 title Mandrake Linux Security Advisory : sudo (MDKSA-2005:234) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2005:234. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(20465); script_version ("1.16"); script_cvs_date("Date: 2019/08/02 13:32:48"); script_cve_id("CVE-2005-4158", "CVE-2006-0151"); script_xref(name:"MDKSA", value:"2005:234"); script_name(english:"Mandrake Linux Security Advisory : sudo (MDKSA-2005:234)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Mandrake Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "Charles Morris discovered a vulnerability in sudo versions prior to 1.6.8p12 where, when the perl taint flag is off, sudo does not clear the PERLLIB, PERL5LIB, and PERL5OPT environment variables, which could allow limited local users to cause a perl script to include and execute arbitrary library files that have the same name as library files that included by the script. In addition, other environment variables have been included in the patch that remove similar environment variables that could be used in python and ruby, scripts, among others. The updated packages have been patched to correct this problem." ); script_set_attribute( attribute:"see_also", value:"https://www.sudo.ws/sudo/alerts/perl_env.html" ); script_set_attribute(attribute:"solution", value:"Update the affected sudo package."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:sudo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2006"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:mandrakesoft:mandrake_linux:le2005"); script_set_attribute(attribute:"patch_publication_date", value:"2005/12/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/15"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK10.1", reference:"sudo-1.6.8p1-1.4.101mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.2", reference:"sudo-1.6.8p1-2.3.102mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", reference:"sudo-1.6.8p8-2.2.20060mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-946.NASL description The former correction to vulnerabilities in the sudo package worked fine but were too strict for some environments. Therefore we have reviewed the changes again and allowed some environment variables to go back into the privileged execution environment. Hence, this update. The configuration option last seen 2020-06-01 modified 2020-06-02 plugin id 22812 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22812 title Debian DSA-946-2 : sudo - missing input sanitising NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-235-1.NASL description Charles Morris discovered a privilege escalation vulnerability in sudo. On executing Perl scripts with sudo, various environment variables that affect Perl last seen 2020-06-01 modified 2020-06-02 plugin id 20779 published 2006-01-21 reporter Ubuntu Security Notice (C) 2006-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20779 title Ubuntu 4.10 / 5.04 / 5.10 : sudo vulnerability (USN-235-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-235-2.NASL description USN-235-1 fixed a vulnerability in sudo last seen 2020-06-01 modified 2020-06-02 plugin id 20780 published 2006-01-21 reporter Ubuntu Security Notice (C) 2006-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20780 title Ubuntu 4.10 / 5.04 / 5.10 : sudo vulnerability (USN-235-2)
Statements
| contributor | Mark J Cox |
| lastmodified | 2008-01-24 |
| organization | Red Hat |
| statement | We do not consider this to be a security issue. http:bugzilla.redhat.combugzillashow_bug.cgi?id=139478#c1 |
References
- http://secunia.com/advisories/17534/
- http://secunia.com/advisories/18102
- http://secunia.com/advisories/18156
- http://secunia.com/advisories/18308
- http://secunia.com/advisories/18463
- http://secunia.com/advisories/18549
- http://secunia.com/advisories/18558
- http://secunia.com/advisories/21692
- http://securitytracker.com/alerts/2005/Nov/1015192.html
- http://www.debian.org/security/2006/dsa-946
- http://www.mandriva.com/security/advisories?name=MDKSA-2005:234
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:159
- http://www.novell.com/linux/security/advisories/2006_02_sr.html
- http://www.securityfocus.com/bid/15394
- http://www.sudo.ws/sudo/alerts/perl_env.html
- http://www.trustix.org/errata/2006/0002/
- http://www.vupen.com/english/advisories/2005/2386
- https://exchange.xforce.ibmcloud.com/vulnerabilities/23102
- https://www.ubuntu.com/usn/usn-235-1/