touch-packages team mailing list archive

Thread
Date

[Bug 1512781] Re: CVE-2015-5602 - Unauthorized Privilege Escalation

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>
Date: Tue, 03 Nov 2015 16:51:23 -0000
Reply-to: Bug 1512781 <1512781@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Information type changed from Private Security to Public Security

** Also affects: sudo (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Also affects: sudo (Ubuntu Wily)
   Importance: Undecided
       Status: New

** Also affects: sudo (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** Also affects: sudo (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: sudo (Ubuntu Vivid)
   Importance: Undecided
       Status: New

** Changed in: sudo (Ubuntu Precise)
       Status: New => Confirmed

** Changed in: sudo (Ubuntu Trusty)
       Status: New => Confirmed

** Changed in: sudo (Ubuntu Vivid)
       Status: New => Confirmed

** Changed in: sudo (Ubuntu Wily)
       Status: New => Confirmed

** Changed in: sudo (Ubuntu Xenial)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1512781

Title:
  CVE-2015-5602 - Unauthorized Privilege Escalation

Status in sudo package in Ubuntu:
  Confirmed
Status in sudo source package in Precise:
  Confirmed
Status in sudo source package in Trusty:
  Confirmed
Status in sudo source package in Vivid:
  Confirmed
Status in sudo source package in Wily:
  Confirmed
Status in sudo source package in Xenial:
  Confirmed

Bug description:
  https://www.exploit-db.com/exploits/37710/

  As descpribed in the link above, sudo versions lower or equal than
  1.8.14 have a security issue: user with root access to a path with
  more than one wildcard can access forbidden files such as /etc/shadow,
  because sudoedit (sudo -e) does not verifiy full path of accessed
  file:

  (quote from link above)

  It seems that sudoedit does not check the full path if a wildcard is used
  twice (e.g. /home/*/*/file.txt), allowing a malicious user to replace the
  file.txt real file with a symbolic link to a different location (e.g.
  /etc/shadow).

  As an expample,

  1. Give user `usr' right to edit some his files:

  usr ALL=(root) NOPASSWD: sudoedit /home/*/*/test.txt

  2. Under usr, create ~/temp directory, and then create a symblink
  ~/temp/test.txt to /etc/shadow

  3. Perform sudoedit ~/temp/test.txt - you will able to access
  /etc/shadow.

  What realease is affected: tested on all supported now Ubuntu
  versions. For personaly me, it's 14.04 LTS.

  What version is affected: as mentioned, all versions <=1.8.14. For
  personally me, it's 1.8.9p5

  What was expected and happend instead: sudoedit should check full real
  path, but it didn't.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1512781/+subscriptions