[39035] in bugtraq
Re: [security@suse.de] [XNUXER-SECURITY] Root Privilige Escalation in Sudo version 1.6.8p7 without Password, SuSE 9.3
daemon@ATHENA.MIT.EDU (Marcus Meissner)
Tue May 31 12:17:27 2005
Date: Tue, 31 May 2005 10:52:18 +0200
From: Marcus Meissner <meissner@suse.de>
To: Xnuxer Security <xnusec@gmail.com>
Cc: bugtraq@securityfocus.com, made@nakula.rvs.uni-bielefeld.de,
security@suse.de
Message-ID: <20050531085218.GA10534@suse.de>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="AqsLC8rIMeq19msA"
Content-Disposition: inline
In-Reply-To: <e9ec72305053023023b376fd8@mail.gmail.com>
--AqsLC8rIMeq19msA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, May 31, 2005 at 01:02:22PM +0700, Xnuxer Security wrote:
> Today, 31 May 2005, I found error with root privilige escalation in
> Sudo version 1.6.8p7 that package installed with SuSE 9.3. Testing in
> my machine, sudo appear not check is true when I press CTRL + C with
> blank password and giving status SID as root privilige to SID user. I
> got successful as root without need a password but only use blank
> password and press CTRL + C. Please check my testing below in my SuSE
> 9.3 box:
>=20
> client@mysuse:~> cat /etc/issue
>=20
> Welcome to SuSE Linux 9.3 (i586) - Kernel \r (\l).
>=20
>=20
> client@mysuse:~> id
> uid=3D1000(client) gid=3D100(users) groups=3D16(dialout),33(video),100(us=
ers)
> client@mysuse:~> uname -a
> Linux mysuse 2.6.11.4-20a-default #1 Wed Mar 23 21:52:37 UTC 2005 i686
> i686 i386 GNU/Linux
> client@mysuse:~> sudo -V
> Sudo version 1.6.8p7
> client@mysuse:~> sudo su
> Password: <---- fake password and press ENTER
> Sorry, try again.
> Password: <---- blank password and press CTRL + C
> mysuse:/home/client #
> mysuse:/home/client # uname -a; id; uptime
> Linux mysuse 2.6.11.4-20a-default #1 Wed Mar 23 21:52:37 UTC 2005 i686
> i686 i386 GNU/Linux
> uid=3D0(root) gid=3D0(root) groups=3D0(root)
> 12:29pm up 2:45, 3 users, load average: 0.14, 0.29, 0.45
> mysuse:/home/client #=20
>=20
> Other sudo version is not check yet, about affect in other distro of
> linux not check too but possible vulnerable, please check it. SuSE
> Security still contacted by me.
I cannot reproduce this in the default installation of sudo in SUSE Linux=
=20
9.3.
Did you adapt the sudo config file in some way?
What exactly do you mean with "blank password" ? Empty? Or a number
of spaces?
Ciao, Marcus
--AqsLC8rIMeq19msA
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFCnCXC6nvzlwF1Yj4RAkw1AJ9j7uh4HuHyWKiTc4E7fNHXAU42cACfcKY0
qGa/1rOP3DFyJCiy8OwCtME=
=SZET
-----END PGP SIGNATURE-----
--AqsLC8rIMeq19msA--
