Bug 174849 - CVE-2005-3629 root shell can be gained from service if ran through sudo
CVE-2005-3629 root shell can be gained from service if ran through sudo
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: initscripts (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
Brock Organ
impact=moderate,embargo=yes,reported=...
: Security
Depends On: 174825
Blocks: 168429
  Show dependency treegraph
 
Reported: 2005-12-02 13:55 EST by Bill Nottingham
Modified: 2014-03-16 22:57 EDT (History)
3 users (show)

See Also:
Fixed In Version: RHSA-2006-0016
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-03-07 13:23:23 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Bill Nottingham 2005-12-02 13:55:13 EST
+++ This bug was initially created as a clone of Bug #174825 +++

Description of problem:
By setting one of various environement variables to "valid" but yet "invalid" 
values and then running service through sudo, one can gain a root shell as a 
normal user.

Version-Release number of selected component (if applicable):
7.31.18.EL

How reproducible:
Always

Steps to Reproduce:
1. Run the following command:
    
     TERM=”$TERM /bin/bash –c /bin/bash” sudo /sbin/service network status

Note the actual service and option for the service really doen't matter.
  
Actual results:
Instant root shell.

Expected results:
No root shell.

Additional info:
The problem, and there may be others is that environment variables when 
expanded in the service script are not quoted.  Here is the particular 
offending line in this case:

   env -i LANG=$LANG PATH=$PATH TERM=$TERM "${SERVICEDIR}/${SERVICE}" ${OPTIONS}

If the vars were quoted as in:

   env -i LANG="$LANG" PATH="$PATH" TERM="$TERM" "${SERVICEDIR}/${SERVICE}" 
${OPTIONS}

then this exploit would not be possible (save maybe with some didling of IFS).

The problem is mitigated by the fact that one has to configure something like 
sudo to allow a user to run service in some fashion, and also in that the 
problem can be side stepped by having the sudo entry run something that runs 
service that properly cleans the environment before execing service.
Comment 2 Bill Nottingham 2005-12-02 15:16:06 EST
Fixed in 7.93.23.EL-1.
Comment 6 Josh Bressers 2006-03-07 10:45:06 EST
Lifting embargo.
Comment 7 Red Hat Bugzilla 2006-03-07 13:23:23 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0016.html

Note You need to log in before you can comment on or make changes to this bug.