BID:58207

Todd Miller Sudo CVE-2013-1776 Local Security Bypass Vulnerability

Info

Todd Miller Sudo CVE-2013-1776 Local Security Bypass Vulnerability

Bugtraq ID:	58207
Class:	Design Error
CVE:	CVE-2013-1776 CVE-2013-2776 CVE-2013-2777
Remote:	No
Local:	Yes
Published:	Feb 27 2013 12:00AM
Updated:	Jul 29 2016 05:00PM
Credit:	Ryan Castellucci and James Ogden
Vulnerable:	Todd Miller Sudo 1.8.3 Todd Miller Sudo 1.8.2 Todd Miller Sudo 1.8.1 Todd Miller Sudo 1.8 Todd Miller Sudo 1.7.2 p7 Todd Miller Sudo 1.7.2 p6 Todd Miller Sudo 1.7.2 p5 Todd Miller Sudo 1.7.2 p4 Todd Miller Sudo 1.7.2 p3 Todd Miller Sudo 1.7.2 p1 Todd Miller Sudo 1.7 Todd Miller Sudo 1.6.9 p19 Todd Miller Sudo 1.6.9 p18 Todd Miller Sudo 1.6.9 p17 Todd Miller Sudo 1.6.8 p9 Todd Miller Sudo 1.6.8 p8 Todd Miller Sudo 1.6.8 p7 Todd Miller Sudo 1.6.8 p5 Todd Miller Sudo 1.6.8 p4 Todd Miller Sudo 1.6.8 p2 Todd Miller Sudo 1.6.8 p12 Todd Miller Sudo 1.6.8 p1 Todd Miller Sudo 1.6.8 Todd Miller Sudo 1.6.7 p5 Todd Miller Sudo 1.6.7 Todd Miller Sudo 1.6.6 Todd Miller Sudo 1.6.5 p2 + NetBSD NetBSD 1.5.2 + OpenBSD OpenBSD 3.1 + Redhat Linux 7.2 ia64 + Redhat Linux 7.2 i386 + Redhat Linux 7.2 alpha + Redhat Linux 7.1 ia64 + Redhat Linux 7.1 i386 + Redhat Linux 7.1 alpha + Redhat Linux 7.0 i386 + Redhat Linux 7.0 alpha - Redhat Linux 6.2 sparc - Redhat Linux 6.2 i386 - Redhat Linux 6.2 alpha + S.u.S.E. Linux 8.0 i386 + S.u.S.E. Linux 8.0 Todd Miller Sudo 1.6.5 p1 + Slackware Linux 8.0 Todd Miller Sudo 1.6.5 Todd Miller Sudo 1.6.4 p2 Todd Miller Sudo 1.6.4 p1 Todd Miller Sudo 1.6.4 + MandrakeSoft Corporate Server 1.0.1 + MandrakeSoft Single Network Firewall 7.2 + Mandriva Linux Mandrake 8.2 + Mandriva Linux Mandrake 8.1 ia64 + Mandriva Linux Mandrake 8.1 + Mandriva Linux Mandrake 8.0 ppc + Mandriva Linux Mandrake 8.0 + Mandriva Linux Mandrake 7.2 + Mandriva Linux Mandrake 7.1 + Redhat Linux 7.2 ia64 + Redhat Linux 7.2 i386 + Redhat Linux 7.2 alpha + Redhat Linux 7.1 ia64 + Redhat Linux 7.1 i386 + Redhat Linux 7.1 alpha + Redhat Linux 7.0 i386 + Redhat Linux 7.0 alpha - Redhat Linux 6.2 sparc - Redhat Linux 6.2 i386 - Redhat Linux 6.2 alpha Todd Miller Sudo 1.6.3 p7 Todd Miller Sudo 1.6.3 p6 Todd Miller Sudo 1.6.3 p5 Todd Miller Sudo 1.6.3 p4 Todd Miller Sudo 1.6.3 p3 Todd Miller Sudo 1.6.3 p2 Todd Miller Sudo 1.6.3 p1 Todd Miller Sudo 1.6.3 Todd Miller Sudo 1.6.2 - Debian Linux 2.2 Todd Miller Sudo 1.6.1 Todd Miller Sudo 1.6 Todd Miller Sudo 1.5.9 Todd Miller Sudo 1.5.8 Todd Miller Sudo 1.5.7 Todd Miller Sudo 1.5.6 Todd Miller Sudo 1.3.5 Todd Miller Sudo 1.8.6p6 Todd Miller Sudo 1.8.5p3 Todd Miller Sudo 1.8.4p5 Todd Miller Sudo 1.8.3p2 Todd Miller Sudo 1.8.3p1 Todd Miller Sudo 1.7.9p1 Todd Miller Sudo 1.7.4p4 Todd Miller Sudo 1.7.4p3 Todd Miller Sudo 1.7.10p5 Todd Miller Sudo 1.6.9 p23 Todd Miller Sudo 1.6.9 p22 Todd Miller Sudo 1.6.9 p21 Todd Miller Sudo 1.6.9 p20 Slackware Linux x86_64 -current Slackware Linux 14.0 x86_64 Slackware Linux 14.0 Slackware Linux 13.37 x86_64 Slackware Linux 13.37 Slackware Linux 13.1 x86_64 Slackware Linux 13.1 Slackware Linux 13.0 x86_64 Slackware Linux 13.0 Slackware Linux 12.2 Slackware Linux 12.1 Slackware Linux -current Redhat Enterprise Linux Workstation Optional 6 Redhat Enterprise Linux Workstation 6 Redhat Enterprise Linux Server Optional 6 Redhat Enterprise Linux Server 6 Redhat Enterprise Linux HPC Node Optional 6 Redhat Enterprise Linux HPC Node 6 Redhat Enterprise Linux Desktop Optional 6 Redhat Enterprise Linux Desktop 6 Redhat Enterprise Linux Desktop 5 client Redhat Enterprise Linux 5 Server Oracle VM Server for x86 3.4 Oracle VM Server for x86 3.3 Oracle VM Server for x86 3.2 Oracle Solaris 11.1 Oracle Enterprise Linux 6.2 Oracle Enterprise Linux 6 Oracle Enterprise Linux 5 Mandriva Business Server 1 X86 64 Mandriva Business Server 1 MandrakeSoft Enterprise Server 5 x86_64 MandrakeSoft Enterprise Server 5 Gentoo Linux Debian Linux 6.0 sparc Debian Linux 6.0 s/390 Debian Linux 6.0 powerpc Debian Linux 6.0 mips Debian Linux 6.0 ia-64 Debian Linux 6.0 ia-32 Debian Linux 6.0 arm Debian Linux 6.0 amd64 Avaya Voice Portal 5.1.3 Avaya Voice Portal 5.1.2 Avaya Voice Portal 5.1.1 Avaya Voice Portal 5.1 SP3 Avaya Voice Portal 5.1 SP2 Avaya Voice Portal 5.1 SP1 Avaya Voice Portal 5.1 Avaya Voice Portal 5.1 Avaya Voice Portal 5.0 SP2 Avaya Voice Portal 5.0 SP1 Avaya Proactive Contact 5.1 Avaya Proactive Contact 5.0 Avaya one-X Client Enablement Services 6.2 Avaya one-X Client Enablement Services 6.1.2 Avaya one-X Client Enablement Services 6.1.1 Avaya one-X Client Enablement Services 6.1 Avaya IQ 4.1 Avaya IQ 5.2 Avaya IQ 5.1.1 Avaya IQ 5.1 Avaya IQ 5 Avaya IQ 4.2 Avaya IQ 4.0 Avaya IP Office Server Edition 9.0 Avaya IP Office Server Edition 8.1 Avaya IP Office Application Server 9.0 Avaya IP Office Application Server 8.1 Avaya IP Office Application Server 8.0 Avaya Communication Server 1000M Signaling Server 7.6 Avaya Communication Server 1000M Signaling Server 7.5 Avaya Communication Server 1000M Signaling Server 7.0 Avaya Communication Server 1000M Signaling Server 6.0 Avaya Communication Server 1000M 7.6 Avaya Communication Server 1000M 7.5 Avaya Communication Server 1000M 7.0 Avaya Communication Server 1000M 6.0 Avaya Communication Server 1000E Signaling Server 7.6 Avaya Communication Server 1000E Signaling Server 7.5 Avaya Communication Server 1000E Signaling Server 7.0 Avaya Communication Server 1000E Signaling Server 6.0 Avaya Communication Server 1000E 7.6 Avaya Communication Server 1000E 7.5 Avaya Communication Server 1000E 7.0 Avaya Communication Server 1000E 6.0 Avaya CMS r17 Avaya Aura System Platform 6.0.2 Avaya Aura System Platform 6.0.1 Avaya Aura System Platform 6.2 Avaya Aura System Platform 6.0.3.9.3 Avaya Aura System Platform 6.0.3.8.3 Avaya Aura System Platform 6.0.3.0.3 Avaya Aura System Platform 6.0 SP3 Avaya Aura System Platform 6.0 SP2 Avaya Aura System Platform 6.0 Avaya Aura System Platform 1.1 Avaya Aura System Manager 6.3.2 Avaya Aura System Manager 6.3.1 Avaya Aura System Manager 6.3 Avaya Aura System Manager 6.2.3 Avaya Aura System Manager 6.2 SP3 Avaya Aura System Manager 6.2 Avaya Aura System Manager 6.1.5 Avaya Aura System Manager 6.1.3 Avaya Aura System Manager 6.1.2 Avaya Aura System Manager 6.1.1 Avaya Aura System Manager 6.1 SP2 Avaya Aura System Manager 6.1 Sp1 Avaya Aura System Manager 6.1 Avaya Aura System Manager 6.0 SP1 Avaya Aura System Manager 6.0 Avaya Aura System Manager 5.2 Avaya Aura System Manager 5.0 Avaya Aura Session Manager 6.3.1 Avaya Aura Session Manager 6.1.5 Avaya Aura Session Manager 6.1.3 Avaya Aura Session Manager 6.1.2 Avaya Aura Session Manager 6.1.1 Avaya Aura Session Manager 6.3 Avaya Aura Session Manager 6.2 Avaya Aura Session Manager 6.1 SP2 Avaya Aura Session Manager 6.1 Sp1 Avaya Aura Session Manager 6.1 Avaya Aura Session Manager 6.0.2 Avaya Aura Session Manager 6.0 SP1 Avaya Aura Presence Services 6.1.2 Avaya Aura Presence Services 6.1.1 Avaya Aura Presence Services 6.2 Avaya Aura Presence Services 6.1 SP2 Avaya Aura Presence Services 6.1 SP1 Avaya Aura Presence Services 6.1 Avaya Aura Presence Services 6.0 Avaya Aura Messaging 6.1.1 Avaya Aura Messaging 6.2 Avaya Aura Messaging 6.1 + Avaya Communication Manager Server DEFINITY Server SI/CS + Avaya Communication Manager Server S8100 + Avaya Communication Manager Server S8300 + Avaya Communication Manager Server S8500 + Avaya Communication Manager Server S8700 Avaya Aura Messaging 6.0.1 Avaya Aura Messaging 6.0 Avaya Aura Experience Portal 6.0.2 + Avaya Communication Manager Server DEFINITY Server SI/CS + Avaya Communication Manager Server S8100 + Avaya Communication Manager Server S8300 + Avaya Communication Manager Server S8500 + Avaya Communication Manager Server S8700 Avaya Aura Experience Portal 6.0.1 Avaya Aura Experience Portal 6.0 SP2 + Avaya Communication Manager Server DEFINITY Server SI/CS + Avaya Communication Manager Server S8100 + Avaya Communication Manager Server S8300 + Avaya Communication Manager Server S8500 + Avaya Communication Manager Server S8700 Avaya Aura Experience Portal 6.0 SP1 Avaya Aura Experience Portal 6.0 Avaya Aura Conferencing 7.0 Standard Avaya Aura Conferencing 7.0 Avaya Aura Communication Manager Utility Services 6.3 Avaya Aura Communication Manager Utility Services 6.2.5.0.15 Avaya Aura Communication Manager Utility Services 6.2.4.0.15 Avaya Aura Communication Manager Utility Services 6.2 Avaya Aura Communication Manager Utility Services 6.1.0.9.8 Avaya Aura Communication Manager Utility Services 6.1 SP 6.1.0.9.8 Avaya Aura Communication Manager Utility Services 6.1 + Avaya Communication Manager Server DEFINITY Server SI/CS + Avaya Communication Manager Server S8100 + Avaya Communication Manager Server S8300 + Avaya Communication Manager Server S8500 + Avaya Communication Manager Server S8700 Avaya Aura Communication Manager Utility Services 6.0 Avaya Aura Communication Manager 6.3 Avaya Aura Communication Manager 6.2 Avaya Aura Communication Manager 6.0.1 + Avaya Communication Manager Server DEFINITY Server SI/CS + Avaya Communication Manager Server S8100 + Avaya Communication Manager Server S8300 + Avaya Communication Manager Server S8500 + Avaya Communication Manager Server S8700 Avaya Aura Communication Manager 6.0 Avaya Aura Collaboration Environment 2.0 Avaya Aura Application Server 5300 SIP Core 3.0 PB5 Avaya Aura Application Server 5300 SIP Core 3.0 PB3 Avaya Aura Application Server 5300 SIP Core 3.0 Avaya Aura Application Server 5300 SIP Core 2.1 Avaya Aura Application Server 5300 SIP Core 2.0 PB28 Avaya Aura Application Server 5300 SIP Core 2.0 PB26 Avaya Aura Application Server 5300 SIP Core 2.0 PB25 Avaya Aura Application Server 5300 SIP Core 2.0 PB23 Avaya Aura Application Server 5300 SIP Core 2.0 PB19 Avaya Aura Application Server 5300 SIP Core 2.0 PB16 Avaya Aura Application Server 5300 SIP Core 2.0 Avaya Aura Application Enablement Services 5.2.1 Avaya Aura Application Enablement Services 6.2 Avaya Aura Application Enablement Services 6.1.2 Avaya Aura Application Enablement Services 6.1.1 Avaya Aura Application Enablement Services 6.1 Avaya Aura Application Enablement Services 6.0 Avaya Aura Application Enablement Services 5.2.4 Avaya Aura Application Enablement Services 5.2.3 Avaya Aura Application Enablement Services 5.2.2 Avaya Aura Application Enablement Services 5.2 Avaya Aura Application Enablement Services 5.0 Apple Mac Os X 10.10.4 Apple Mac Os X 10.10.3 Apple Mac OS X 10.10.2 Apple Mac OS X 10.10.1 Apple Mac OS X 10.10

Not Vulnerable:	Todd Miller Sudo 1.8.6p7 Todd Miller Sudo 1.7.10p6 Oracle Solaris 11.1.7.5.0 Apple Mac Os X 10.10.5

Discussion

Todd Miller Sudo CVE-2013-1776 Local Security Bypass Vulnerability

Todd Miller 'sudo' is prone to a local security-bypass vulnerability.

An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions.

This issue affects 'sudo' 1.3.5 through 1.7.10p5 and sudo 1.8.0 through 1.8.6p6.

Note: An attacker requires the 'tty_tickets' option to enable in versions prior to sudo 1.7.4..

Exploit / POC

Todd Miller Sudo CVE-2013-1776 Local Security Bypass Vulnerability

Local attackers can use readily available commands to exploit this issue.

Solution / Fix

Todd Miller Sudo CVE-2013-1776 Local Security Bypass Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

Slackware Linux 12.2

Slackware sudo-1.7.10p7-i486-1_slack12.2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/ sudo-1.7.10p7-i486-1_slack12.2.tgz

Slackware Linux 13.1

Slackware sudo-1.7.10p7-i486-1_slack13.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/ sudo-1.7.10p7-i486-1_slack13.1.txz

Slackware Linux x86_64 -current

Slackware sudo-1.8.6p7-x86_64-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/ ap/sudo-1.8.6p7-x86_64-1.txz

Slackware Linux 14.0 x86_64

Slackware sudo-1.8.6p7-x86_64-1_slack14.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/package s/sudo-1.8.6p7-x86_64-1_slack14.0.txz

References

Todd Miller Sudo CVE-2013-1776 Local Security Bypass Vulnerability

References:

Multiple Permissions, Privileges, and Access Control vulnerabilities in Sudo (Oracle)
Potential bypass of tty_tickets constraints (Todd C. Miller)
Sudo Homepage (Todd Miller)
sudo security, bug fix and enhancement update (RHSA-2013-1701) (Avaya)
APPLE-SA-2015-08-13-2 OS X Yosemite v10.10.5 and Security Update 2015-006 (Apple)
Oracle VM Server for x86 Bulletin - July 2016 (Oracle)
sudo security and bug fix update (RHSA-2013-1353) (Avaya)