Vulnerabilities > CVE-2009-0034 - Incorrect Authorization vulnerability in multiple products
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
parse.c in sudo 1.6.9p17 through 1.6.9p19 does not properly interpret a system group (aka %group) in the sudoers file during authorization decisions for a user who belongs to that group, which allows local users to leverage an applicable sudoers file and gain root privileges via a sudo command.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 3 | |
| OS | 1 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-722-1.NASL description Harald Koenig discovered that sudo did not correctly handle certain privilege changes when handling groups. If a local attacker belonged to a group included in a last seen 2020-06-01 modified 2020-06-02 plugin id 38070 published 2009-04-23 reporter Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/38070 title Ubuntu 8.04 LTS / 8.10 : sudo vulnerability (USN-722-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-722-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(38070); script_version("1.13"); script_cvs_date("Date: 2019/08/02 13:33:02"); script_cve_id("CVE-2009-0034", "CVE-2011-0008"); script_bugtraq_id(33517); script_xref(name:"USN", value:"722-1"); script_name(english:"Ubuntu 8.04 LTS / 8.10 : sudo vulnerability (USN-722-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "Harald Koenig discovered that sudo did not correctly handle certain privilege changes when handling groups. If a local attacker belonged to a group included in a 'RunAs' list in the /etc/sudoers file, that user could gain root privileges. This was not an issue for the default sudoers file shipped with Ubuntu. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/722-1/" ); script_set_attribute( attribute:"solution", value:"Update the affected sudo and / or sudo-ldap packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:sudo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:sudo-ldap"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:8.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:8.10"); script_set_attribute(attribute:"patch_publication_date", value:"2009/02/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! ereg(pattern:"^(8\.04|8\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 8.04 / 8.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"8.04", pkgname:"sudo", pkgver:"1.6.9p10-1ubuntu3.4")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"sudo-ldap", pkgver:"1.6.9p10-1ubuntu3.4")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"sudo", pkgver:"1.6.9p17-1ubuntu2.1")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"sudo-ldap", pkgver:"1.6.9p17-1ubuntu2.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "sudo / sudo-ldap"); }NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-033.NASL description A vulnerability has been identified in sudo which allowed - depending on the sudoers rules - a sudo-user to execute arbitrary shell commands as root (CVE-2009-0034). The updated packages have been patched to prevent this. last seen 2020-06-01 modified 2020-06-02 plugin id 38137 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/38137 title Mandriva Linux Security Advisory : sudo (MDVSA-2009:033) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2009:033. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(38137); script_version ("1.13"); script_cvs_date("Date: 2019/08/02 13:32:51"); script_cve_id("CVE-2009-0034"); script_bugtraq_id(33517); script_xref(name:"MDVSA", value:"2009:033"); script_name(english:"Mandriva Linux Security Advisory : sudo (MDVSA-2009:033)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Mandriva Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "A vulnerability has been identified in sudo which allowed - depending on the sudoers rules - a sudo-user to execute arbitrary shell commands as root (CVE-2009-0034). The updated packages have been patched to prevent this." ); script_set_attribute(attribute:"solution", value:"Update the affected sudo package."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:sudo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2009.0"); script_set_attribute(attribute:"patch_publication_date", value:"2009/02/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2008.0", reference:"sudo-1.6.9p5-1.1mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"sudo-1.6.9p13-1.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"sudo-1.6.9p17-1.1mdv2009.0", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Fedora Local Security Checks NASL id FEDORA_2011-0455.NASL description - rebase to 1.7.4p5 - fixed sudo-1.7.4p4-getgrouplist.patch - fixes CVE-2011-0008, CVE-2011-0010 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 51656 published 2011-01-24 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/51656 title Fedora 13 : sudo-1.7.4p5-1.fc13 (2011-0455) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2011-0455. # include("compat.inc"); if (description) { script_id(51656); script_version("1.9"); script_cvs_date("Date: 2019/08/02 13:32:33"); script_cve_id("CVE-2009-0034", "CVE-2011-0008", "CVE-2011-0010"); script_bugtraq_id(33517, 45774); script_xref(name:"FEDORA", value:"2011-0455"); script_name(english:"Fedora 13 : sudo-1.7.4p5-1.fc13 (2011-0455)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: " - rebase to 1.7.4p5 - fixed sudo-1.7.4p4-getgrouplist.patch - fixes CVE-2011-0008, CVE-2011-0010 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=668843" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=668879" ); # https://lists.fedoraproject.org/pipermail/package-announce/2011-January/053341.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?0e1e5ecb" ); script_set_attribute(attribute:"solution", value:"Update the affected sudo package."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:sudo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:13"); script_set_attribute(attribute:"patch_publication_date", value:"2011/01/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/01/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^13([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 13.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC13", reference:"sudo-1.7.4p5-1.fc13")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "sudo"); }NASL family Misc. NASL id VMWARE_VMSA-2009-0009_REMOTE.NASL description The remote VMware ESX host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in sudo in file parse.c due to a failure to properly interpret a system group (%group) in the sudoers configuration file when handling authorization decisions for users belonging to that group. A local attacker can exploit this to gain root privileges via a crafted sudo command. (CVE-2009-0034) - A flaw exists in the redirect implementation in libcurl that allows arbitrary Location values to be accepted when CURLOPT_FOLLOWLOCATION is enabled. An attacker with control of a remote HTTP server can exploit this, via crafted redirect URLs, to trigger requests to intranet servers, to read or write arbitrary files, or to execute arbitrary commands. (CVE-2009-0037) - A flaw exists in udev due to a failure to verify that a NETLINK message originates from the kernel space. A local attacker can exploit this, via a crafted NETLINK message, to gain elevated privileges on the root file system. (CVE-2009-1185) last seen 2020-06-01 modified 2020-06-02 plugin id 89115 published 2016-03-03 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89115 title VMware ESX Multiple Vulnerabilities (VMSA-2009-0009) (remote check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(89115); script_version("1.4"); script_cvs_date("Date: 2018/08/06 14:03:16"); script_cve_id( "CVE-2009-0034", "CVE-2009-0037", "CVE-2009-1185" ); script_bugtraq_id( 33517, 33962, 34536 ); script_xref(name:"VMSA", value:"2009-0009"); script_xref(name:"EDB-ID", value:"8572"); script_xref(name:"EDB-ID", value:"21848"); script_name(english:"VMware ESX Multiple Vulnerabilities (VMSA-2009-0009) (remote check)"); script_summary(english:"Checks the ESX version and build number."); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a security-related patch."); script_set_attribute(attribute:"description", value: "The remote VMware ESX host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in sudo in file parse.c due to a failure to properly interpret a system group (%group) in the sudoers configuration file when handling authorization decisions for users belonging to that group. A local attacker can exploit this to gain root privileges via a crafted sudo command. (CVE-2009-0034) - A flaw exists in the redirect implementation in libcurl that allows arbitrary Location values to be accepted when CURLOPT_FOLLOWLOCATION is enabled. An attacker with control of a remote HTTP server can exploit this, via crafted redirect URLs, to trigger requests to intranet servers, to read or write arbitrary files, or to execute arbitrary commands. (CVE-2009-0037) - A flaw exists in udev due to a failure to verify that a NETLINK message originates from the kernel space. A local attacker can exploit this, via a crafted NETLINK message, to gain elevated privileges on the root file system. (CVE-2009-1185)"); script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2009-0009"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the vendor advisory that pertains to ESX version 4.0."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Linux udev Netlink Local Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(20, 264, 352); script_set_attribute(attribute:"vuln_publication_date", value:"2009/01/29"); script_set_attribute(attribute:"patch_publication_date", value:"2009/07/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/03"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc."); script_dependencies("vmware_vsphere_detect.nbin"); script_require_keys("Host/VMware/version", "Host/VMware/release"); script_require_ports("Host/VMware/vsphere"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); version = get_kb_item_or_exit("Host/VMware/version"); release = get_kb_item_or_exit("Host/VMware/release"); port = get_kb_item_or_exit("Host/VMware/vsphere"); fixes = make_array(); fixes["ESX 4.0"] = 175625; matches = eregmatch(pattern:'^VMware (ESXi?).*build-([0-9]+)$', string:release); if (empty_or_null(matches)) exit(1, 'Failed to extract the ESX / ESXi build number.'); type = matches[1]; build = int(matches[2]); fixed_build = fixes[version]; if (!isnull(fixed_build) && build < fixed_build) { padding = crap(data:" ", length:8 - strlen(type)); # Spacing alignment report = '\n ' + type + ' version' + padding + ': ' + version + '\n Installed build : ' + build + '\n Fixed build : ' + fixed_build + '\n'; security_report_v4(extra:report, port:port, severity:SECURITY_HOLE); } else audit(AUDIT_INST_VER_NOT_VULN, "VMware " + version + " build " + build);NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_13D6D997F45511DD8516001B77D09812.NASL description Todd Miller reports : A bug was introduced in Sudo last seen 2020-06-01 modified 2020-06-02 plugin id 35613 published 2009-02-09 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/35613 title FreeBSD : sudo -- certain authorized users could run commands as any user (13d6d997-f455-11dd-8516-001b77d09812) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(35613); script_version("1.13"); script_cvs_date("Date: 2019/08/02 13:32:39"); script_cve_id("CVE-2009-0034"); script_bugtraq_id(33517); script_name(english:"FreeBSD : sudo -- certain authorized users could run commands as any user (13d6d997-f455-11dd-8516-001b77d09812)"); script_summary(english:"Checks for updated package in pkg_info output"); script_set_attribute( attribute:"synopsis", value:"The remote FreeBSD host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Todd Miller reports : A bug was introduced in Sudo's group matching code in version 1.6.9 when support for matching based on the supplemental group vector was added. This bug may allow certain users listed in the sudoers file to run a command as a different user than their access rule specifies." ); # http://www.gratisoft.us/pipermail/sudo-announce/2009-February/000085.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?bf9ec653" ); # https://vuxml.freebsd.org/freebsd/13d6d997-f455-11dd-8516-001b77d09812.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?236ac9c1" ); script_set_attribute(attribute:"solution", value:"Update the affected package."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:sudo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2009/02/04"); script_set_attribute(attribute:"patch_publication_date", value:"2009/02/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/02/09"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"sudo>=1.6.9<1.6.9.20")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200902-01.NASL description The remote host is affected by the vulnerability described in GLSA-200902-01 (sudo: Privilege escalation) Harald Koenig discovered that sudo incorrectly handles group specifications in Runas_Alias (and related) entries when a group is specified in the list (using %group syntax, to allow a user to run commands as any member of that group) and the user is already a member of that group. Impact : A local attacker could possibly run commands as an arbitrary system user (including root). Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 35614 published 2009-02-09 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35614 title GLSA-200902-01 : sudo: Privilege escalation code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200902-01. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(35614); script_version("1.13"); script_cvs_date("Date: 2019/08/02 13:32:45"); script_cve_id("CVE-2009-0034"); script_xref(name:"GLSA", value:"200902-01"); script_name(english:"GLSA-200902-01 : sudo: Privilege escalation"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200902-01 (sudo: Privilege escalation) Harald Koenig discovered that sudo incorrectly handles group specifications in Runas_Alias (and related) entries when a group is specified in the list (using %group syntax, to allow a user to run commands as any member of that group) and the user is already a member of that group. Impact : A local attacker could possibly run commands as an arbitrary system user (including root). Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200902-01" ); script_set_attribute( attribute:"solution", value: "All sudo users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=app-admin/sudo-1.7.0'" ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:sudo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2009/02/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/02/09"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"app-admin/sudo", unaffected:make_list("ge 1.7.0"), vulnerable:make_list("lt 1.7.0"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "sudo"); }NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2011-018.NASL description Multiple vulnerabilities has been found and corrected in sudo : A a patch for parse.c in sudo does not properly interpret a system group (aka %group) in the sudoers file during authorization decisions for a user who belongs to that group, which allows local users to leverage an applicable sudoers file and gain root privileges via a sudo command. NOTE: this vulnerability exists because of a CVE-2009-0034 regression (CVE-2011-0008). check.c in sudo 1.7.x before 1.7.4p5, when a Runas group is configured, does not require a password for command execution that involves a gid change but no uid change, which allows local users to bypass an intended authentication requirement via the -g option to a sudo command (CVE-2011-0010). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149 products_id=490 The updated packages have been upgraded to the latest versions (1.7.4p6) which is not affected by these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 51809 published 2011-01-28 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/51809 title Mandriva Linux Security Advisory : sudo (MDVSA-2011:018) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2009-0267.NASL description From Red Hat Security Advisory 2009:0267 : An updated sudo package to fix a security issue is now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The sudo (superuser do) utility allows system administrators to give certain users the ability to run commands as root with logging. A flaw was discovered in a way sudo handled group specifications in last seen 2020-06-01 modified 2020-06-02 plugin id 67801 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67801 title Oracle Linux 5 : sudo (ELSA-2009-0267) NASL family Fedora Local Security Checks NASL id FEDORA_2011-0470.NASL description - rebase to 1.7.4p5 - fixed sudo-1.7.4p4-getgrouplist.patch - fixes CVE-2011-0008, CVE-2011-0010 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 51566 published 2011-01-19 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/51566 title Fedora 14 : sudo-1.7.4p5-1.fc14 (2011-0470) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-0267.NASL description An updated sudo package to fix a security issue is now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The sudo (superuser do) utility allows system administrators to give certain users the ability to run commands as root with logging. A flaw was discovered in a way sudo handled group specifications in last seen 2020-06-01 modified 2020-06-02 plugin id 35605 published 2009-02-06 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/35605 title RHEL 5 : sudo (RHSA-2009:0267) NASL family Fedora Local Security Checks NASL id FEDORA_2009-1074.NASL description Fix for incorrect handling of groups in Runas_User Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 36971 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36971 title Fedora 10 : sudo-1.6.9p17-5.fc10 (2009-1074) NASL family Scientific Linux Local Security Checks NASL id SL_20090205_SUDO_ON_SL5_X.NASL description A flaw was discovered in a way sudo handled group specifications in last seen 2020-06-01 modified 2020-06-02 plugin id 60529 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60529 title Scientific Linux Security Update : sudo on SL5.x i386/x86_64 NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2009-0009.NASL description a. Service Console package udev A vulnerability in the udev program did not verify whether a NETLINK message originates from kernel space, which allows local users to gain privileges by sending a NETLINK message from user space. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-1185 to this issue. Please see http://kb.vmware.com/kb/1011786 for details. b. Service Console package sudo Service Console package for sudo has been updated to version sudo-1.6.9p17-3. This fixes the following issue: Sudo versions 1.6.9p17 through 1.6.9p19 do not properly interpret a system group in the sudoers file during authorization decisions for a user who belongs to that group, which might allow local users to leverage an applicable sudoers file and gain root privileges by using a sudo command. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-0034 to this issue. Please see http://kb.vmware.com/kb/1011781 for more details c. Service Console package curl Service Console package for curl has been updated to version curl-7.15.5-2.1. This fixes the following issue: The redirect implementation in curl and libcurl 5.11 through 7.19.3, when CURLOPT_FOLLOWLOCATION is enabled, accepts arbitrary Location values, which might allow remote HTTP servers to trigger arbitrary requests to intranet servers, read or overwrite arbitrary files by using a redirect to a file: URL, or execute arbitrary commands by using a redirect to an scp: URL. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-0037 to this issue. Please see http://kb.vmware.com/kb/1011782 for details last seen 2020-06-01 modified 2020-06-02 plugin id 52011 published 2011-02-17 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/52011 title VMSA-2009-0009 : ESX Service Console updates for udev, sudo, and curl
Oval
accepted 2013-04-29T04:09:24.797-04:00 class vulnerability contributors name Aharon Chernin organization SCAP.com, LLC name Dragos Prisaca organization G2, Inc.
definition_extensions comment The operating system installed on the system is Red Hat Enterprise Linux 5 oval oval:org.mitre.oval:def:11414 comment The operating system installed on the system is CentOS Linux 5.x oval oval:org.mitre.oval:def:15802 comment Oracle Linux 5.x oval oval:org.mitre.oval:def:15459
description parse.c in sudo 1.6.9p17 through 1.6.9p19 does not properly interpret a system group (aka %group) in the sudoers file during authorization decisions for a user who belongs to that group, which allows local users to leverage an applicable sudoers file and gain root privileges via a sudo command. family unix id oval:org.mitre.oval:def:10856 status accepted submitted 2010-07-09T03:56:16-04:00 title parse.c in sudo 1.6.9p17 through 1.6.9p19 does not properly interpret a system group (aka %group) in the sudoers file during authorization decisions for a user who belongs to that group, which allows local users to leverage an applicable sudoers file and gain root privileges via a sudo command. version 18 accepted 2014-01-20T04:01:26.413-05:00 class vulnerability contributors name Michael Wood organization Hewlett-Packard name Michael Wood organization Hewlett-Packard name J. Daniel Brown organization DTCC name Chris Coffin organization The MITRE Corporation
definition_extensions comment VMware ESX Server 4.0 is installed oval oval:org.mitre.oval:def:6293 description parse.c in sudo 1.6.9p17 through 1.6.9p19 does not properly interpret a system group (aka %group) in the sudoers file during authorization decisions for a user who belongs to that group, which allows local users to leverage an applicable sudoers file and gain root privileges via a sudo command. family unix id oval:org.mitre.oval:def:6462 status accepted submitted 2009-09-22T15:10:44.000-05:00 title Sudo Supplemental Group Privilege Error Lets Certain Local Users Gain Elevated Privileges version 8
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||
| rpms |
|
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 33517 CVE(CAN) ID: CVE-2009-0034 Sudo是一款允许用户以其他用户权限安全地执行命令的程序,广泛使用在Linux和Unix操作系统下。 sudo在确认用户属于哪个组的时候sudo中的parse.c文件没有正确地解释sudoer配置文件中的系统组(也被称为%group),本地用户可以利用run-as-user-in-group功能无需口令认证便以root用户权限执行sudo命令。 Todd Miller Sudo 1.6.9p17 - 1.6.9p19 厂商补丁: RedHat ------ RedHat已经为此发布了一个安全公告(RHSA-2009:0267-01)以及相应补丁: RHSA-2009:0267-01:Moderate: sudo security update 链接:<a href=https://www.redhat.com/support/errata/RHSA-2009-0267.html target=_blank rel=external nofollow>https://www.redhat.com/support/errata/RHSA-2009-0267.html</a> |
| id | SSV:4797 |
| last seen | 2017-11-19 |
| modified | 2009-02-19 |
| published | 2009-02-19 |
| reporter | Root |
| title | Todd Miller Sudo Runas_Alias组本地权限提升漏洞 |
References
- https://issues.rpath.com/browse/RPL-2954
- http://www.securityfocus.com/bid/33517
- https://bugzilla.novell.com/show_bug.cgi?id=468923
- http://www.gratisoft.us/bugzilla/show_bug.cgi?id=327
- http://wiki.rpath.com/Advisories:rPSA-2009-0021
- http://www.sudo.ws/cgi-bin/cvsweb/sudo/parse.c.diff?r1=1.160.2.21&r2=1.160.2.22&f=h
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:033
- http://secunia.com/advisories/33753
- http://secunia.com/advisories/33885
- http://www.redhat.com/support/errata/RHSA-2009-0267.html
- http://osvdb.org/51736
- http://www.securitytracker.com/id?1021688
- http://secunia.com/advisories/33840
- http://www.vupen.com/english/advisories/2009/1865
- http://www.vmware.com/security/advisories/VMSA-2009-0009.html
- http://secunia.com/advisories/35766
- http://lists.vmware.com/pipermail/security-announce/2009/000060.html
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6462
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10856
- http://www.securityfocus.com/archive/1/504849/100/0/threaded
- http://www.securityfocus.com/archive/1/500546/100/0/threaded