Bug 1384982 (CVE-2016-7076)

Summary: CVE-2016-7076 sudo: noexec bypass via wordexp()
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, dkopecek, fweimer, pkis, security-response-team, slawomir, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: sudo 1.8.18p1 Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the sudo noexec restriction could have been bypassed if application run via sudo executed wordexp() C library function with a user supplied argument. A local user permitted to run such application via sudo with noexec restriction could possibly use this flaw to execute arbitrary commands with elevated privileges.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-06 11:56:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1389496, 1391937, 1391938, 1391939, 1391940    
Bug Blocks: 1372831    

Description Tomas Hoger 2016-10-14 13:41:49 UTC 
The sudo allows the use of NOEXEC tag it its configuration to define that program executed via sudo can not execute any other commands.  This restriction is implemented via dynamic library which is preloaded for the executed program and which implements wrappers for various exec functions.

It was discovered that the wrapping of exec functions is insufficient to block command execution via glibc APIs that internally call one of the exec functions - system() or popen() (see CVE-2016-7032 tracked via bug 1372830), and wordexp (CVE-2016-7076, tracked via this bug).

This issue was originally tracked under single CVE via bug 1372830, but the CVE assignment was split because of different versions in which problems for system()/popen() and wordexp() were fixed.

The noexec bypass using wordexp() is being fixed in 1.8.18p1 (see bug 1372830 comment 11):

* Wrapper for wordexp() was added to sudo_noexec.so which forces the use of WRDE_NOCMD flag in wordexp().

https://www.sudo.ws/repos/sudo/rev/e7d09243e51b
https://www.sudo.ws/repos/sudo/rev/7b8357b0a358
https://www.sudo.ws/repos/sudo/rev/167a518d8129

NEWS file entry:

 * When sudo_noexec.so is used, the WRDE_NOCMD flag is now added
   if the wordexp() function is called.  This prevents commands
   from being run via wordexp() without disabling it entirely.
Comment 1 Tomas Hoger 2016-10-14 13:41:55 UTC 
Acknowledgments:

Name: Florian Weimer (Red Hat)
Comment 3 Tomas Hoger 2016-10-14 13:57:23 UTC 
Fixed now in 1.8.18p1:

https://www.sudo.ws/stable.html#1.8.18p1
Comment 4 Tomas Hoger 2016-10-27 18:04:48 UTC 
Public now via upstream advisory.

External References:

https://www.sudo.ws/alerts/noexec_wordexp.html
Comment 5 Tomas Hoger 2016-10-27 18:05:36 UTC 
Created sudo tracking bugs for this issue:

Affects: fedora-all [bug 1389496]
Comment 10 errata-xmlrpc 2016-12-06 11:07:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2016:2872 https://rhn.redhat.com/errata/RHSA-2016-2872.html