FreeBSD : sudo -- Privilege escalation with sudoedit (1a9f678d-48ca-11df-85f8-000c29a67389)

This script is Copyright (C) 2010-2013 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

Todd Miller reports :

Sudo's command matching routine expects actual commands to include one
or more slash ('/') characters. The flaw is that sudo's path
resolution code did not add a './' prefix to commands found in the
current working directory. This creates an ambiguity between a
'sudoedit' command found in the cwd and the 'sudoedit' pseudo-command
in the sudoers file. As a result, a user may be able to run an
arbitrary command named 'sudoedit' in the current working directory.
For the attack to be successful, the PATH environment variable must
include '.' and may not include any other directory that contains a
'sudoedit' command.

See also :

http://www.sudo.ws/pipermail/sudo-announce/2010-April/000093.html
http://www.sudo.ws/sudo/alerts/sudoedit_escalate2.html
http://www.nessus.org/u?071b8383

Solution :

Update the affected package.

Risk factor :

Medium / CVSS Base Score : 6.9
(CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 45547 (freebsd_pkg_1a9f678d48ca11df85f8000c29a67389.nasl)

Bugtraq ID:

CVE ID: CVE-2010-1163

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now