Vulnerabilities > CVE-2010-1163 - Improper Input Validation vulnerability in Todd Miller Sudo

047910
CVSS 6.9 - MEDIUM
Attack vector
LOCAL
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
todd-miller
CWE-20
nessus

Summary

The command matching functionality in sudo 1.6.8 through 1.7.2p5 does not properly handle when a file in the current working directory has the same name as a pseudo-command in the sudoers file and the PATH contains an entry for ".", which allows local users to execute arbitrary commands via a Trojan horse executable, as demonstrated using sudoedit, a different vulnerability than CVE-2010-0426.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Server Side Include (SSI) Injection
    An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
  • Cross Zone Scripting
    An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
  • Cross Site Scripting through Log Files
    An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.

Nessus

  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_1A9F678D48CA11DF85F8000C29A67389.NASL
    descriptionTodd Miller reports : Sudo
    last seen2020-06-01
    modified2020-06-02
    plugin id45547
    published2010-04-16
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/45547
    titleFreeBSD : sudo -- Privilege escalation with sudoedit (1a9f678d-48ca-11df-85f8-000c29a67389)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2018 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(45547);
      script_version("1.10");
      script_cvs_date("Date: 2019/08/02 13:32:40");
    
      script_cve_id("CVE-2010-1163");
    
      script_name(english:"FreeBSD : sudo -- Privilege escalation with sudoedit (1a9f678d-48ca-11df-85f8-000c29a67389)");
      script_summary(english:"Checks for updated package in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote FreeBSD host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Todd Miller reports :
    
    Sudo's command matching routine expects actual commands to include one
    or more slash ('/') characters. The flaw is that sudo's path
    resolution code did not add a './' prefix to commands found in the
    current working directory. This creates an ambiguity between a
    'sudoedit' command found in the cwd and the 'sudoedit' pseudo-command
    in the sudoers file. As a result, a user may be able to run an
    arbitrary command named 'sudoedit' in the current working directory.
    For the attack to be successful, the PATH environment variable must
    include '.' and may not include any other directory that contains a
    'sudoedit' command."
      );
      # http://www.sudo.ws/pipermail/sudo-announce/2010-April/000093.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.sudo.ws/pipermail/sudo-announce/2010-April/000093.html"
      );
      # http://www.sudo.ws/sudo/alerts/sudoedit_escalate2.html
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.sudo.ws/sudo/alerts/sudoedit_escalate2.html"
      );
      # https://vuxml.freebsd.org/freebsd/1a9f678d-48ca-11df-85f8-000c29a67389.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?f82f4adc"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected package.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:sudo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2010/04/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2010/04/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/04/16");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"sudo<1.7.2.6")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_3_SUDO-110114.NASL
    descriptionThis update of sudo fixes : - CVE-2011-0010: Does ask for the user password for GID changes now. - CVE-2010-1646: CVSS v2 Base Score: 6.6 (CWE-264): The secure environment option can handle multiple occurrence of PATH now. - CVE-2010-1163: CVSS v2 Base Score: 6.9 (CWE-20): Improved command matching.
    last seen2020-06-01
    modified2020-06-02
    plugin id75751
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/75751
    titleopenSUSE Security Update : sudo (openSUSE-SU-2011:0050-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update sudo-3811.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(75751);
      script_version("1.4");
      script_cvs_date("Date: 2019/10/25 13:36:41");
    
      script_cve_id("CVE-2010-1163", "CVE-2010-1646", "CVE-2011-0010");
    
      script_name(english:"openSUSE Security Update : sudo (openSUSE-SU-2011:0050-1)");
      script_summary(english:"Check for the sudo-3811 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update of sudo fixes :
    
      - CVE-2011-0010: Does ask for the user password for GID
        changes now.
    
      - CVE-2010-1646: CVSS v2 Base Score: 6.6 (CWE-264): The
        secure environment option can handle multiple occurrence
        of PATH now.
    
      - CVE-2010-1163: CVSS v2 Base Score: 6.9 (CWE-20):
        Improved command matching."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=594738"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=663881"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.opensuse.org/opensuse-updates/2011-01/msg00022.html"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected sudo package.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:sudo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.3");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2011/01/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE11\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.3", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE11.3", reference:"sudo-1.7.2p7-2.3.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "sudo");
    }
    
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2010-110-01.NASL
    descriptionNew sudo packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, 13.0, and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id45581
    published2010-04-21
    reporterThis script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/45581
    titleSlackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 12.1 / 12.2 / 13.0 / 8.1 / 9.0 / 9.1 / current : sudo (SSA:2010-110-01)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Slackware Security Advisory 2010-110-01. The text 
    # itself is copyright (C) Slackware Linux, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(45581);
      script_version("1.13");
      script_cvs_date("Date: 2019/10/25 13:36:21");
    
      script_cve_id("CVE-2010-0426", "CVE-2010-1163");
      script_bugtraq_id(38362, 39468);
      script_xref(name:"SSA", value:"2010-110-01");
    
      script_name(english:"Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 12.1 / 12.2 / 13.0 / 8.1 / 9.0 / 9.1 / current : sudo (SSA:2010-110-01)");
      script_summary(english:"Checks for updated package in /var/log/packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Slackware host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "New sudo packages are available for Slackware 8.1, 9.0, 9.1, 10.0,
    10.1, 10.2, 11.0, 12.0, 12.1, 12.2, 13.0, and -current to fix security
    issues."
      );
      # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.577019
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?9dbaf1f7"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected sudo package.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_cwe_id(264);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:sudo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:11.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:12.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:12.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:12.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:13.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:8.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2010/04/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/04/21");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc.");
      script_family(english:"Slackware Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("slackware.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware");
    if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu);
    
    
    flag = 0;
    if (slackware_check(osver:"8.1", pkgname:"sudo", pkgver:"1.7.2p6", pkgarch:"i386", pkgnum:"1_slack8.1")) flag++;
    
    if (slackware_check(osver:"9.0", pkgname:"sudo", pkgver:"1.7.2p6", pkgarch:"i386", pkgnum:"1_slack9.0")) flag++;
    
    if (slackware_check(osver:"9.1", pkgname:"sudo", pkgver:"1.7.2p6", pkgarch:"i486", pkgnum:"1_slack9.1")) flag++;
    
    if (slackware_check(osver:"10.0", pkgname:"sudo", pkgver:"1.7.2p6", pkgarch:"i486", pkgnum:"1_slack10.0")) flag++;
    
    if (slackware_check(osver:"10.1", pkgname:"sudo", pkgver:"1.7.2p6", pkgarch:"i486", pkgnum:"1_slack10.1")) flag++;
    
    if (slackware_check(osver:"10.2", pkgname:"sudo", pkgver:"1.7.2p6", pkgarch:"i486", pkgnum:"1_slack10.2")) flag++;
    
    if (slackware_check(osver:"11.0", pkgname:"sudo", pkgver:"1.7.2p6", pkgarch:"i486", pkgnum:"1_slack11.0")) flag++;
    
    if (slackware_check(osver:"12.0", pkgname:"sudo", pkgver:"1.7.2p6", pkgarch:"i486", pkgnum:"1_slack12.0")) flag++;
    
    if (slackware_check(osver:"12.1", pkgname:"sudo", pkgver:"1.7.2p6", pkgarch:"i486", pkgnum:"1_slack12.1")) flag++;
    
    if (slackware_check(osver:"12.2", pkgname:"sudo", pkgver:"1.7.2p6", pkgarch:"i486", pkgnum:"1_slack12.2")) flag++;
    
    if (slackware_check(osver:"13.0", pkgname:"sudo", pkgver:"1.7.2p6", pkgarch:"i486", pkgnum:"1_slack13.0")) flag++;
    if (slackware_check(osver:"13.0", arch:"x86_64", pkgname:"sudo", pkgver:"1.7.2p6", pkgarch:"x86_64", pkgnum:"1_slack13.0")) flag++;
    
    if (slackware_check(osver:"current", pkgname:"sudo", pkgver:"1.7.2p6", pkgarch:"i486", pkgnum:"1")) flag++;
    if (slackware_check(osver:"current", arch:"x86_64", pkgname:"sudo", pkgver:"1.7.2p6", pkgarch:"x86_64", pkgnum:"1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2010-0476.NASL
    descriptionAn updated rhev-hypervisor package that fixes two security issues, multiple bugs, and adds enhancements is now available. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The rhev-hypervisor package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: A subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. A flaw was found in the way QEMU-KVM handled erroneous data provided by the Linux virtio-net driver, used by guest operating systems. Due to a deficiency in the TSO (TCP segment offloading) implementation, a guest
    last seen2020-06-01
    modified2020-06-02
    plugin id79275
    published2014-11-17
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79275
    titleRHEL 5 : rhev-hypervisor (RHSA-2010:0476)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2010-0361.NASL
    descriptionFrom Red Hat Security Advisory 2010:0361 : An updated sudo package that fixes one security issue is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The sudo (superuser do) utility allows system administrators to give certain users the ability to run commands as root. The RHBA-2010:0212 sudo update released as part of Red Hat Enterprise Linux 5.5 added the ability to change the value of the ignore_dot option in the
    last seen2020-06-01
    modified2020-06-02
    plugin id68033
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/68033
    titleOracle Linux 5 : sudo (ELSA-2010-0361)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2010-0361.NASL
    descriptionAn updated sudo package that fixes one security issue is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The sudo (superuser do) utility allows system administrators to give certain users the ability to run commands as root. The RHBA-2010:0212 sudo update released as part of Red Hat Enterprise Linux 5.5 added the ability to change the value of the ignore_dot option in the
    last seen2020-06-01
    modified2020-06-02
    plugin id46302
    published2010-05-11
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/46302
    titleRHEL 5 : sudo (RHSA-2010:0361)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2010-0361.NASL
    descriptionAn updated sudo package that fixes one security issue is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The sudo (superuser do) utility allows system administrators to give certain users the ability to run commands as root. The RHBA-2010:0212 sudo update released as part of Red Hat Enterprise Linux 5.5 added the ability to change the value of the ignore_dot option in the
    last seen2020-06-01
    modified2020-06-02
    plugin id46756
    published2010-06-01
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/46756
    titleCentOS 5 : sudo (CESA-2010:0361)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20100420_SUDO_ON_SL5_X.NASL
    descriptionIn configurations where the ignore_dot option was set to off (the default is on for the Scientific Linux 5 sudo package), a local user authorized to use the sudoedit pseudo-command could possibly run arbitrary commands with the privileges of the users sudoedit was authorized to run as. (CVE-2010-1163)
    last seen2020-06-01
    modified2020-06-02
    plugin id60784
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60784
    titleScientific Linux Security Update : sudo on SL5.x i386/x86_64
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2010-078.NASL
    descriptionA vulnerability has been found and corrected in sudo : The command matching functionality in sudo 1.6.8 through 1.7.2p5 does not properly handle when a file in the current working directory has the same name as a pseudo-command in the sudoers file and the PATH contains an entry for ., which allows local users to execute arbitrary commands via a Trojan horse executable, as demonstrated using sudoedit, a different vulnerability than CVE-2010-0426 (CVE-2010-1163). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. The updated packages have been patched to correct this issue. Update : Packages for 2009.0 are provided due to the Extended Maintenance Program.
    last seen2020-06-01
    modified2020-06-02
    plugin id45564
    published2010-04-19
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/45564
    titleMandriva Linux Security Advisory : sudo (MDVSA-2010:078-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_2_SUDO-110114.NASL
    descriptionThis update of sudo fixes : - CVE-2011-0010: Does ask for the user password for GID changes now. - CVE-2010-1646: CVSS v2 Base Score: 6.6 (CWE-264): The secure environment option can handle multiple occurrence of PATH now. - CVE-2010-1163: CVSS v2 Base Score: 6.9 (CWE-20): Improved command matching.
    last seen2020-06-01
    modified2020-06-02
    plugin id53801
    published2011-05-05
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/53801
    titleopenSUSE Security Update : sudo (openSUSE-SU-2011:0050-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2010-6756.NASL
    description - update to new upstream version - merged .audit and .libaudit patch - added sudoers.ldap.5* to files - http://sudo.ws/sudo/alerts/sudoedit_escalate2.html Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id47449
    published2010-07-01
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/47449
    titleFedora 13 : sudo-1.7.2p6-1.fc13 (2010-6756)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201006-09.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201006-09 (sudo: Privilege escalation) The command matching functionality does not properly handle when a file in the current working directory has the same name as a pseudo-command in the sudoers file and the PATH contains an entry for
    last seen2020-06-01
    modified2020-06-02
    plugin id46776
    published2010-06-02
    reporterThis script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/46776
    titleGLSA-201006-09 : sudo: Privilege escalation

Oval

accepted2013-04-29T04:19:04.076-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 5
    ovaloval:org.mitre.oval:def:11414
  • commentThe operating system installed on the system is CentOS Linux 5.x
    ovaloval:org.mitre.oval:def:15802
  • commentOracle Linux 5.x
    ovaloval:org.mitre.oval:def:15459
descriptionThe command matching functionality in sudo 1.6.8 through 1.7.2p5 does not properly handle when a file in the current working directory has the same name as a pseudo-command in the sudoers file and the PATH contains an entry for ".", which allows local users to execute arbitrary commands via a Trojan horse executable, as demonstrated using sudoedit, a different vulnerability than CVE-2010-0426.
familyunix
idoval:org.mitre.oval:def:9382
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleThe command matching functionality in sudo 1.6.8 through 1.7.2p5 does not properly handle when a file in the current working directory has the same name as a pseudo-command in the sudoers file and the PATH contains an entry for ".", which allows local users to execute arbitrary commands via a Trojan horse executable, as demonstrated using sudoedit, a different vulnerability than CVE-2010-0426.
version18

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/88672/2010-02-sudo.txt
idPACKETSTORM:88672
last seen2016-12-05
published2010-04-20
reporterMaurizio Agazzini
sourcehttps://packetstormsecurity.com/files/88672/Sudo-1.7.2p5-Local-Privilege-Escalation.html
titleSudo 1.7.2p5 Local Privilege Escalation

Redhat

advisories
bugzilla
id580441
titleCVE-2010-1163 sudo: incomplete fix for the sudoedit privilege escalation issue CVE-2010-0426
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 5 is installed
      ovaloval:com.redhat.rhba:tst:20070331005
    • commentsudo is earlier than 0:1.7.2p1-6.el5_5
      ovaloval:com.redhat.rhsa:tst:20100361001
    • commentsudo is signed with Red Hat redhatrelease key
      ovaloval:com.redhat.rhsa:tst:20090267002
rhsa
idRHSA-2010:0361
released2010-04-20
severityModerate
titleRHSA-2010:0361: sudo security update (Moderate)
rpms
  • sudo-0:1.7.2p1-6.el5_5
  • sudo-debuginfo-0:1.7.2p1-6.el5_5

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 39468 CVE ID: CVE-2010-1163 Sudo是一款允许用户以其他用户权限安全的执行命令的程序,广泛使用在Linux和Unix操作系统下。 当sudo执行命令匹配时,存在sudoers文件中存在伪命令的特殊情况(目前唯一的伪命令是sudoedit)。与正常命令不同,伪命令中不包含有路径组件。Sudo的命令匹配例程认为实际命令中应包含有一个或多个“/”字符,而sudo的路径解析代码没有向当前工作目录中所找到的命令添加“./”前缀,这就在cwd中所发现的sudoedit命令与sudoers文件中的sudoedit伪命令之间造成了歧义,导致用户可以在当前工作目录中运行任意名为sudoedit的命令。 如果要成功执行攻击,PATH环境变量必须包含有“.”且不应包含任何存在sudoedit命令的目录;此外还要禁用了ignore_dot或 secure_path选项。 Todd Miller Sudo 1.6.8 - 1.7.2 p5 临时解决方法: * 启用ignore_dot sudoers选项。 厂商补丁: Todd Miller ----------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.sudo.ws/sudo/dist/ Ubuntu ------ Ubuntu已经为此发布了一个安全公告(USN-928-1)以及相应补丁: USN-928-1:Sudo vulnerability 链接:http://www.ubuntu.com/usn/USN-928-1
idSSV:19476
last seen2017-11-19
modified2010-04-19
published2010-04-19
reporterRoot
titleSudo sudoedit路径解析本地权限提升漏洞

References