Sudo未清环境变量导致以root身份执行命令漏洞

漏洞信息详情

Sudo未清环境变量导致以root身份执行命令漏洞

• CNNVD编号：CNNVD-200201-013
• 危害等级： 高危
  
  
• CVE编号：
  CVE-2002-0043
  
• 漏洞类型：
  
  
  输入验证
  
• 发布时间：
  
  2002-01-31
  
• 威胁类型：
  
  
  本地
  
• 更新时间：
  
  2006-09-05
  
• 厂        商：
  
  todd_miller
• 漏洞来源：
  Sebastian Krahmer※…

Sudo是一个免费的，开放源码的许可权限管理软件，运行于Linux及一些Unix平台下，程序由Todd C. Miller维护。
Sudo存在一个漏洞输入验证漏洞，可以使本地攻击者以root身份执行程序。
在某些情况下，sudo不会正确地清空程序运行时的环境变量。当sudo以root身份去运行一个程序比如MTA时，这可能会导致一个本地用户通过环境变量把非法的数据传递给程序。利用那些环境变量攻击者可能以root身份执行命令，从而提升自己的权限。

临时解决方法：
如果您不能立刻安装补丁或者升级，CNNVD建议您采取以下措施以降低威胁：

* 暂时去掉sudo程序的的suid属性。

# chmod a-s suid
厂商补丁：
Conectiva
———
Conectiva已经为此发布了一个安全公告(CLA-2002:451)以及相应补丁:

CLA-2002:451：sudo

补丁下载：

ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/sudo-1.6.4p1-1U50_1cl.src.rpm

ftp://atualizacoes.conectiva.com.br/5.0/i386/sudo-1.6.4p1-1U50_1cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/5.0/i386/sudo-doc-1.6.4p1-1U50_1cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/sudo-1.6.4p1-1U51_1cl.src.rpm

ftp://atualizacoes.conectiva.com.br/5.1/i386/sudo-1.6.4p1-1U51_1cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/5.1/i386/sudo-doc-1.6.4p1-1U51_1cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/sudo-1.6.4p1-1U60_1cl.src.rpm

ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sudo-1.6.4p1-1U60_1cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sudo-doc-1.6.4p1-1U60_1cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/sudo-1.6.4p1-1U70_1cl.src.rpm

ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sudo-1.6.4p1-1U70_1cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sudo-doc-1.6.4p1-1U70_1cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/sudo-1.6.4p1-1U50_1cl.src.rpm

ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/sudo-1.6.4p1-1U50_1cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/sudo-doc-1.6.4p1-1U50_1cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/sudo-1.6.4p1-1U50_1cl.src.rpm

ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/sudo-1.6.4p1-1U50_1cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/sudo-doc-1.6.4p1-1U50_1cl.i386.rpm
Debian
——
Debian已经为此发布了一个安全公告(DSA-101-1)以及相应补丁:

DSA-101-1：New sudo packages fix local root exploit

链接：http://www.debian.org/security/2002/dsa-101” target=”_blank”>
http://www.debian.org/security/2002/dsa-101

补丁下载：

Debian GNU/Linux 2.2 alias potato

– ————————————

Source archives:

http://security.debian.org/dists/stable/updates/main/source/sudo_1.6.2p2-2.1.dsc” target=”_blank”>
http://security.debian.org/dists/stable/updates/main/source/sudo_1.6.2p2-2.1.dsc

http://security.debian.org/dists/stable/updates/main/source/sudo_1.6.2p2-2.1.diff.gz” target=”_blank”>
http://security.debian.org/dists/stable/updates/main/source/sudo_1.6.2p2-2.1.diff.gz

http://security.debian.org/dists/stable/updates/main/source/sudo_1.6.2p2.orig.tar.gz” target=”_blank”>
http://security.debian.org/dists/stable/updates/main/source/sudo_1.6.2p2.orig.tar.gz

Alpha architecture:

http://security.debian.org/dists/stable/updates/main/binary-alpha/sudo_1.6.2p2-2.1_alpha.deb” target=”_blank”>
http://security.debian.org/dists/stable/updates/main/binary-alpha/sudo_1.6.2p2-2.1_alpha.deb

ARM architecture:

http://security.debian.org/dists/stable/updates/main/binary-arm/sudo_1.6.2p2-2.1_arm.deb” target=”_blank”>
http://security.debian.org/dists/stable/updates/main/binary-arm/sudo_1.6.2p2-2.1_arm.deb

Intel ia32 architecture:

http://security.debian.org/dists/stable/updates/main/binary-i386/sudo_1.6.2p2-2.1_i386.deb” target=”_blank”>
http://security.debian.org/dists/stable/updates/main/binary-i386/sudo_1.6.2p2-2.1_i386.deb

Motorola 680×0 architecture:

http://security.debian.org/dists/stable/updates/main/binary-m68k/sudo_1.6.2p2-2.1_m68k.deb” target=”_blank”>
http://security.debian.org/dists/stable/updates/main/binary-m68k/sudo_1.6.2p2-2.1_m68k.deb

PowerPC architecture:

http://security.debian.org/dists/stable/updates/main/binary-powerpc/sudo_1.6.2p2-2.1_powerpc.deb” target=”_blank”>
http://security.debian.org/dists/stable/updates/main/binary-powerpc/sudo_1.6.2p2-2.1_powerpc.deb

Sun Sparc architecture:

http://security.debian.org/dists/stable/updates/main/binary-sparc/sudo_1.6.2p2-2.1_sparc.deb” target=”_blank”>
http://security.debian.org/dists/stable/updates/main/binary-sparc/sudo_1.6.2p2-2.1_sparc.deb
FreeBSD
——-
FreeBSD已经为此发布了一个安全公告(FreeBSD-SA-02:06)以及相应补丁:

FreeBSD-SA-02:06：sudo port may enable local privilege escalation

链接：ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:06.sudo.asc

您可以采用下列方法中的任意一种来修复该安全漏洞：

1) 对整个移植集进行升级并重建该移植。

2) 卸载旧版软件包，再从下列地址下载并安装一个修正日期后发布的新版软件包：

[i386]

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/sudo-1.6.4.1.tgz

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/sudo-1.6.4.1.tgz

3) 从下列地址下载一个新版sudo移植架构并用它重建该移植：

http://www.freebsd.org/ports/” target=”_blank”>
http://www.freebsd.org/ports/

4) 用portcheckout自动执行第(3)条办法。portcheckout移植在

/usr/ports/devel/portcheckout，也可从下列地址下载：

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
MandrakeSoft
————
MandrakeSoft已经为此发布了一个安全公告(MDKSA-2002:003)以及相应补丁:

MDKSA-2002:003：sudo update

链接：http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-003.php3” target=”_blank”>
http://www.linux