Sudo privilege escalation flaw (CVE-2010-2956)

A CVE note that popped up this morning is linked to sudo versions before 1.7.4p4. The CVE record is not complete yet but apparently sudo fails to restrict user access when using Runas groups with group (-g) command line option. Secunia says it is related to the -u option. Sudo.ws puts it all together and explains it’s the -g with the -u.

Beginning with sudo version 1.7.0 it has been possible to grant permission to run a command using a specified group via sudo -g option (run as group). A flaw exists in the logic that matches Runas groups in the sudoers file when the -u option is also specified (run as user). This flaw results in a positive match for the user specified via -u so long as the group specified via -g is allowed by the sudoers file.

In either case a local user could escalate privileges but only as defined for commands in the sudoers file. Examples of how to test the flaw are conveniently listed by Sudo.ws.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.