BID:13171

Sudo VISudo Insecure Temporary File Creation Vulnerability

Info

Sudo VISudo Insecure Temporary File Creation Vulnerability

Bugtraq ID:	13171
Class:	Design Error
CVE:
Remote:	No
Local:	Yes
Published:	Apr 14 2005 12:00AM
Updated:	Apr 14 2005 12:00AM
Credit:	Discovery of this issue is credited to Imran Ghory <[email protected]>.
Vulnerable:	Todd Miller Sudo 1.6.8 p8 + OpenPKG OpenPKG 2.4 + OpenPKG OpenPKG Current + Red Hat Fedora Core4 Todd Miller Sudo 1.6.8 p1 + Mandriva Linux Mandrake 10.2 x86_64 + Mandriva Linux Mandrake 10.2 + Mandriva Linux Mandrake 10.1 x86_64 + Mandriva Linux Mandrake 10.1 + OpenPKG OpenPKG 2.2 + OpenPKG OpenPKG Current Todd Miller Sudo 1.6.8 Todd Miller Sudo 1.6.7 p5 + Conectiva Linux 10.0 + Conectiva Linux 9.0 + MandrakeSoft Corporate Server 3.0 x86_64 + MandrakeSoft Corporate Server 3.0 + Mandriva Linux Mandrake 10.0 AMD64 + Mandriva Linux Mandrake 10.0 + OpenPKG OpenPKG 2.1 + Red Hat Fedora Core3 + Ubuntu Ubuntu Linux 4.1 ppc + Ubuntu Ubuntu Linux 4.1 ia64 + Ubuntu Ubuntu Linux 4.1 ia32 Todd Miller Sudo 1.6.7 Todd Miller Sudo 1.6.6 + Conectiva Linux 8.0 + Conectiva Linux 7.0 + Conectiva Linux 6.0 + Conectiva Linux 5.1 + Conectiva Linux 5.0 + Conectiva Linux graficas + Conectiva Linux ecommerce + Debian Linux 3.0 sparc + Debian Linux 3.0 s/390 + Debian Linux 3.0 ppc + Debian Linux 3.0 mipsel + Debian Linux 3.0 mips + Debian Linux 3.0 m68k + Debian Linux 3.0 ia-64 + Debian Linux 3.0 ia-32 + Debian Linux 3.0 hppa + Debian Linux 3.0 arm + Debian Linux 3.0 alpha + Debian Linux 3.0 + MandrakeSoft Corporate Server 2.1 x86_64 + MandrakeSoft Corporate Server 2.1 + Slackware Linux 8.0 Todd Miller Sudo 1.6.5 p2 + NetBSD NetBSD 1.5.2 + OpenBSD OpenBSD 3.1 + RedHat Linux 7.2 ia64 + RedHat Linux 7.2 i386 + RedHat Linux 7.2 alpha + RedHat Linux 7.1 ia64 + RedHat Linux 7.1 i386 + RedHat Linux 7.1 alpha + RedHat Linux 7.0 i386 + RedHat Linux 7.0 alpha - RedHat Linux 6.2 sparc - RedHat Linux 6.2 i386 - RedHat Linux 6.2 alpha + S.u.S.E. Linux 8.0 i386 + S.u.S.E. Linux 8.0 Todd Miller Sudo 1.6.5 p1 + Slackware Linux 8.0 Todd Miller Sudo 1.6.5 Todd Miller Sudo 1.6.4 p2 Todd Miller Sudo 1.6.4 p1 + Conectiva Linux 8.0 + Conectiva Linux 7.0 + Conectiva Linux 6.0 + Conectiva Linux 5.1 + Conectiva Linux 5.0 + Conectiva Linux graficas + Conectiva Linux ecommerce Todd Miller Sudo 1.6.4 + MandrakeSoft Corporate Server 1.0.1 + MandrakeSoft Single Network Firewall 7.2 + Mandriva Linux Mandrake 8.2 + Mandriva Linux Mandrake 8.1 ia64 + Mandriva Linux Mandrake 8.1 + Mandriva Linux Mandrake 8.0 ppc + Mandriva Linux Mandrake 8.0 + Mandriva Linux Mandrake 7.2 + Mandriva Linux Mandrake 7.1 + RedHat Linux 7.2 ia64 + RedHat Linux 7.2 i386 + RedHat Linux 7.2 alpha + RedHat Linux 7.1 ia64 + RedHat Linux 7.1 i386 + RedHat Linux 7.1 alpha + RedHat Linux 7.0 i386 + RedHat Linux 7.0 alpha - RedHat Linux 6.2 sparc - RedHat Linux 6.2 i386 - RedHat Linux 6.2 alpha Todd Miller Sudo 1.6.3 p7 - FreeBSD FreeBSD 4.5 - FreeBSD FreeBSD 4.4 - FreeBSD FreeBSD 4.3 + RedHat Linux 7.2 ia64 + RedHat Linux 7.2 i386 + S.u.S.E. Linux 7.3 sparc + S.u.S.E. Linux 7.3 ppc + S.u.S.E. Linux 7.3 i386 + S.u.S.E. Linux 7.3 + Slackware Linux 8.0 + Trustix Secure Linux 1.5 + Trustix Secure Linux 1.2 + Trustix Secure Linux 1.1 Todd Miller Sudo 1.6.3 p6 + Guardian Digital Engarde Secure Linux 1.0.1 + Guardian Digital Engarde Secure Linux 1.0.1 + HP Secure OS software for Linux 1.0 + HP Secure OS software for Linux 1.0 + RedHat Linux 7.1 ia64 + RedHat Linux 7.1 ia64 + RedHat Linux 7.1 i386 + RedHat Linux 7.1 i386 + RedHat Linux 7.1 alpha + RedHat Linux 7.1 alpha + S.u.S.E. Linux 7.2 i386 + S.u.S.E. Linux 7.2 + S.u.S.E. Linux 7.2 + S.u.S.E. Linux 7.1 x86 + S.u.S.E. Linux 7.1 x86 + S.u.S.E. Linux 7.1 sparc + S.u.S.E. Linux 7.1 sparc + S.u.S.E. Linux 7.1 ppc + S.u.S.E. Linux 7.1 ppc + S.u.S.E. Linux 7.1 alpha + S.u.S.E. Linux 7.1 alpha + S.u.S.E. Linux 7.1 + S.u.S.E. Linux 7.1 + S.u.S.E. Linux 7.0 sparc + S.u.S.E. Linux 7.0 sparc + S.u.S.E. Linux 7.0 ppc + S.u.S.E. Linux 7.0 ppc + S.u.S.E. Linux 7.0 i386 + S.u.S.E. Linux 7.0 i386 + S.u.S.E. Linux 7.0 alpha + S.u.S.E. Linux 7.0 alpha + S.u.S.E. Linux 7.0 + S.u.S.E. Linux 7.0 + Wirex Immunix OS 7.0 + Wirex Immunix OS 7.0 Todd Miller Sudo 1.6.3 p5 Todd Miller Sudo 1.6.3 p4 + Slackware Linux 7.1 Todd Miller Sudo 1.6.3 p3 Todd Miller Sudo 1.6.3 p2 Todd Miller Sudo 1.6.3 p1 Todd Miller Sudo 1.6.3 + RedHat Linux 7.0 i386 + RedHat Linux 7.0 alpha Todd Miller Sudo 1.6.2 - Debian Linux 2.2 Todd Miller Sudo 1.6.1 Todd Miller Sudo 1.6 Todd Miller Sudo 1.5.9 + S.u.S.E. Linux 6.4 ppc + S.u.S.E. Linux 6.4 i386 + S.u.S.E. Linux 6.4 Todd Miller Sudo 1.5.8 Todd Miller Sudo 1.5.7 Todd Miller Sudo 1.5.6

Not Vulnerable:

Discussion

Sudo VISudo Insecure Temporary File Creation Vulnerability

visudo is prone to an insecure temporary file creation vulnerability. However, the issue can only manifest if the software is invoked on a sudoers file that is contained in a world writable directory.

The visudo application creates a temporary file in the same directory as the sudoers file that is being edited. The temporary file is named using a easily predictable filename.

An attacker may exploit this vulnerability to corrupt arbitrary files with privileges of the superuser.

Exploit / POC

Sudo VISudo Insecure Temporary File Creation Vulnerability

No exploit is required.

Solution / Fix

Sudo VISudo Insecure Temporary File Creation Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.

References

Sudo VISudo Insecure Temporary File Creation Vulnerability

References:

Sudo Homepage (Todd Miller)