Bug 1384982 (CVE-2016-7076) - CVE-2016-7076 sudo: noexec bypass via wordexp()
Summary: CVE-2016-7076 sudo: noexec bypass via wordexp()
Status: CLOSED ERRATA
Alias: CVE-2016-7076
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20161026,repor...
Keywords: Security
Depends On: 1389496 1391937 1391938 1391939 1391940
Blocks: 1372831
TreeView+ depends on / blocked
 
Reported: 2016-10-14 13:41 UTC by Tomas Hoger
Modified: 2019-06-08 21:30 UTC (History)
7 users (show)

(edit)
It was discovered that the sudo noexec restriction could have been bypassed if application run via sudo executed wordexp() C library function with a user supplied argument. A local user permitted to run such application via sudo with noexec restriction could possibly use this flaw to execute arbitrary commands with elevated privileges.
Clone Of:
(edit)
Last Closed: 2016-12-06 11:56:24 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2872 normal SHIPPED_LIVE Moderate: sudo security update 2016-12-06 16:06:44 UTC

Description Tomas Hoger 2016-10-14 13:41:49 UTC
The sudo allows the use of NOEXEC tag it its configuration to define that program executed via sudo can not execute any other commands.  This restriction is implemented via dynamic library which is preloaded for the executed program and which implements wrappers for various exec functions.

It was discovered that the wrapping of exec functions is insufficient to block command execution via glibc APIs that internally call one of the exec functions - system() or popen() (see CVE-2016-7032 tracked via bug 1372830), and wordexp (CVE-2016-7076, tracked via this bug).

This issue was originally tracked under single CVE via bug 1372830, but the CVE assignment was split because of different versions in which problems for system()/popen() and wordexp() were fixed.

The noexec bypass using wordexp() is being fixed in 1.8.18p1 (see bug 1372830 comment 11):

* Wrapper for wordexp() was added to sudo_noexec.so which forces the use of WRDE_NOCMD flag in wordexp().

https://www.sudo.ws/repos/sudo/rev/e7d09243e51b
https://www.sudo.ws/repos/sudo/rev/7b8357b0a358
https://www.sudo.ws/repos/sudo/rev/167a518d8129

NEWS file entry:

 * When sudo_noexec.so is used, the WRDE_NOCMD flag is now added
   if the wordexp() function is called.  This prevents commands
   from being run via wordexp() without disabling it entirely.

Comment 1 Tomas Hoger 2016-10-14 13:41:55 UTC
Acknowledgments:

Name: Florian Weimer (Red Hat)

Comment 3 Tomas Hoger 2016-10-14 13:57:23 UTC
Fixed now in 1.8.18p1:

https://www.sudo.ws/stable.html#1.8.18p1

Comment 4 Tomas Hoger 2016-10-27 18:04:48 UTC
Public now via upstream advisory.

External References:

https://www.sudo.ws/alerts/noexec_wordexp.html

Comment 5 Tomas Hoger 2016-10-27 18:05:36 UTC
Created sudo tracking bugs for this issue:

Affects: fedora-all [bug 1389496]

Comment 10 errata-xmlrpc 2016-12-06 11:07:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2016:2872 https://rhn.redhat.com/errata/RHSA-2016-2872.html


Note You need to log in before you can comment on or make changes to this bug.