Sudo CVE 2009-0034: possible elevated access

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Sudo CVE 2009-0034: possible elevated access

Todd C. Miller
    A bug was introduced in Sudo's group matching code in version
    1.6.9 when support for matching based on the supplemental group
    vector was added.  This bug may allow certain users listed in
    the sudoers file to run a command as a different user than their
    access rule specifies.

Patch for OpenBSD 4.3:

Patch for OpenBSD 4.4:

These patches are also available in the OPENBSD_4_3 and OPENBSD_4_4
stable CVS branches.  OpenBSD-current is not affected.

    Given a sudoers rule like the following:

        bob ALL=(%users) ALL

    user bob should only be able to run commands as a user that
    is a member of the Unix group users.

    However, due to the bug, if bob is himself a member of users,
    he will actually be able to run a command as any user.

    The bug only impacts sudoers configurations where a Unix group
    is used in the RunAs list, which is (%users) in the example above.

    For example, the following sudoers rule is not affected
    by the bug:

        bob ALL = ALL

    This problem was brought to my attention by Harald Koenig.

    Code was added to sudo version 1.7.0 to cache the user's
    supplemental group vector and use it in group matches.  When
    this changed was back-ported to sudo version 1.6.9, the check
    to only use the supplemental groups when matching against the
    invoking user got dropped.