November 11, 2004
A flaw in exists in sudo's environment sanitizing prior to sudo
version 1.6.8p2 that could allow a malicious user with permission
to run a shell script that utilized the bash shell to run arbitrary
commands. The /bin/sh shell on most (if not all) Linux systems is
Sudo versions affected:
All versions prior to 1.6.8p2.
This vulnerability has been assigned CVE-2004-1051
in the Common
Vulnerabilities and Exposures
When it starts up, bash searches the environment for
variables with a value beginning with "()". For each
environment variables that matches, a function with the same name
as the corresponding variable is created (with the function body
filled in from the environment variable's value).
A malicious user with sudo access to a shell script that uses bash
can use this feature to substitute arbitrary commands for any
non-fully qualified programs called from the script.
Exploitation of the bug requires that the bash shell be installed
on the machine and that users be granted sudo access to run scripts
written in bash. On most (if not all) Linux systems, /bin/sh is
bash so /bin/sh scripts are affected by this as well.
The bug is fixed in sudo 1.6.8p2.
The administrator can add a line to the sudoers file:
that will reset the environment to only contain the variables
HOME, LOGNAME, PATH, SHELL, TERM, and USER, preventing this attack.
This problem was brought to my attention by Liam Helmer.