CVE-2017-1000367 – Sudo 1.8.20 - 'get_process_ttyname()' Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2017-1000367
Todd Miller's sudo version 1.8.20 and earlier is vulnerable to an input validation (embedded spaces) in the get_process_ttyname() function resulting in information disclosure and command execution. Un Sudo de Todd Miller’s versión 1.8.20 y anteriores es vulnerable a una validación de entrada (espacios insertados) en la función get_process_ttyname(), resultando en la divulgación de información y la ejecución de comandos. A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. sudo version 1.8.20 and earlier is vulnerable to an input validation (embedded spaces) in the get_process_ttyname() function resulting in information disclosure and command execution. • https://www.exploit-db.com/exploits/42183 https://github.com/c0d3z3r0/sudo-CVE-2017-1000367 https://github.com/homjxi0e/CVE-2017-1000367 http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00077.html http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00078.html http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00079.html http://packetstormsecurity.com/files/142783/Sudo-get_process_ttyname-Race-Condition.html http://seclists.org/fulldisclosure/2017/Jun/3 http& • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-807: Reliance on Untrusted Inputs in a Security Decision •
CVE-2016-7032 – sudo: noexec bypass via system() and popen()
https://notcve.org/view.php?id=CVE-2016-7032
sudo_noexec.so in Sudo before 1.8.15 on Linux might allow local users to bypass intended noexec command restrictions via an application that calls the (1) system or (2) popen function. Sudo_noexec.so en Sudo en versiones anteriores a 1.8.15 en Linux podría permitir a los usuarios locales evitar las restricciones de comandos noexec pretendidas a través de una aplicación que llama al (1) sistema o (2) a la función popen. It was discovered that the sudo noexec restriction could have been bypassed if application run via sudo executed system() or popen() C library functions with a user supplied argument. A local user permitted to run such application via sudo with noexec restriction could use this flaw to execute arbitrary commands with elevated privileges. • http://rhn.redhat.com/errata/RHSA-2016-2872.html http://www.securityfocus.com/bid/95776 https://bugzilla.redhat.com/show_bug.cgi?id=1372830 https://usn.ubuntu.com/3968-3 https://www.sudo.ws/alerts/noexec_bypass.html https://access.redhat.com/security/cve/CVE-2016-7032 • CWE-184: Incomplete List of Disallowed Inputs CWE-284: Improper Access Control •
CVE-2016-7076 – sudo: noexec bypass via wordexp()
https://notcve.org/view.php?id=CVE-2016-7076
sudo before version 1.8.18p1 is vulnerable to a bypass in the sudo noexec restriction if application run via sudo executed wordexp() C library function with a user supplied argument. A local user permitted to run such application via sudo with noexec restriction could possibly use this flaw to execute arbitrary commands with elevated privileges. sudo en versiones anteriores a la 1.8.18p1 es vulnerable a una omisión en la restricción noexec de sudo si la aplicación que se ejecuta mediante sudo ejecuta la función de la biblioteca de C wordexp() con un argumento proporcionado por el usuario. Un usuario local que pueda ejecutar tal aplicación mediante sudo con la restricción noexec podría emplear este error para ejecutar comandos arbitrarios con privilegios elevados. It was discovered that the sudo noexec restriction could have been bypassed if application run via sudo executed wordexp() C library function with a user supplied argument. A local user permitted to run such application via sudo with noexec restriction could possibly use this flaw to execute arbitrary commands with elevated privileges. • http://rhn.redhat.com/errata/RHSA-2016-2872.html http://www.securityfocus.com/bid/95778 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7076 https://security.netapp.com/advisory/ntap-20181127-0002 https://usn.ubuntu.com/3968-1 https://usn.ubuntu.com/3968-3 https://www.sudo.ws/alerts/noexec_wordexp.html https://access.redhat.com/security/cve/CVE-2016-7076 https://bugzilla.redhat.com/show_bug.cgi?id=1384982 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-184: Incomplete List of Disallowed Inputs •
CVE-2015-5602 – Sudo 1.8.14 (RHEL 5/6/7 / Ubuntu) - 'Sudoedit' Unauthorized Privilege Escalation
https://notcve.org/view.php?id=CVE-2015-5602
sudoedit in Sudo before 1.8.15 allows local users to gain privileges via a symlink attack on a file whose full path is defined using multiple wildcards in /etc/sudoers, as demonstrated by "/home/*/*/file.txt." sudoedit en Sudo en versiones anteriores a 1.8.15 permite a usuarios locales obtener privilegios a través de un ataque de enlaces simbólicos en un archivo cuya totalidad de la ruta se define utilizando múltiples comodines en /etc/sudoers, según lo demostrado mediante '/home/*/*/file.txt.' • https://www.exploit-db.com/exploits/37710 https://github.com/t0kx/privesc-CVE-2015-5602 http://bugzilla.sudo.ws/show_bug.cgi?id=707 http://lists.fedoraproject.org/pipermail/package-announce/2015-November/171024.html http://lists.fedoraproject.org/pipermail/package-announce/2015-November/171054.html http://www.debian.org/security/2016/dsa-3440 http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html http://www.securitytracker.com/id/1034392 http://www.sudo.ws/stable • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2014-9680 – sudo: unsafe handling of TZ environment variable
https://notcve.org/view.php?id=CVE-2014-9680
sudo before 1.8.12 does not ensure that the TZ environment variable is associated with a zoneinfo file, which allows local users to open arbitrary files for read access (but not view file contents) by running a program within an sudo session, as demonstrated by interfering with terminal output, discarding kernel-log messages, or repositioning tape drives. sudo en versiones anteriores a 1.8.12 no garantiza que la variable de entorno TZ esté asociada con un archivo zoneinfo, lo que permite a usuarios locales abrir archivos arbitrarios para acceso de lectura (pero no ver el contenido del archivo) ejecutando un programa dentro de una sesión sudo, como lo demuestra interfiriendo con la salida del terminal, descartando los mensajes del kernel-log o reposicionando las unidades de cinta. It was discovered that sudo did not perform any checks of the TZ environment variable value. If sudo was configured to preserve the TZ environment variable, a local user with privileges to execute commands via sudo could possibly use this flaw to achieve system state changes not permitted by the configured commands. Note: The default sudoers configuration in Red Hat Enterprise Linux removes the TZ variable from the environment in which commands run by sudo are executed. • http://openwall.com/lists/oss-security/2014/10/15/24 http://rhn.redhat.com/errata/RHSA-2015-1409.html http://www.securitytracker.com/id/1033158 http://www.sudo.ws/alerts/tz.html https://security.gentoo.org/glsa/201504-02 https://access.redhat.com/security/cve/CVE-2014-9680 https://bugzilla.redhat.com/show_bug.cgi?id=1191144 • CWE-20: Improper Input Validation CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •