1384982 – (CVE-2016-7076) CVE-2016-7076 sudo: noexec bypass via wordexp()

Bug 1384982 (CVE-2016-7076) - CVE-2016-7076 sudo: noexec bypass via wordexp()

Summary: CVE-2016-7076 sudo: noexec bypass via wordexp()

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2016-7076
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1389496 1391937 1391938 1391939 1391940
Blocks:	1372831
TreeView+	depends on / blocked

Reported:	2016-10-14 13:41 UTC by Tomas Hoger
Modified:	2021-12-10 14:45 UTC (History)
CC List:	7 users (show)
Fixed In Version:	sudo 1.8.18p1
Doc Type:	If docs needed, set a value
Doc Text:	It was discovered that the sudo noexec restriction could have been bypassed if application run via sudo executed wordexp() C library function with a user supplied argument. A local user permitted to run such application via sudo with noexec restriction could possibly use this flaw to execute arbitrary commands with elevated privileges.
Clone Of:
Environment:
Last Closed:	2016-12-06 11:56:24 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:2872	0	normal	SHIPPED_LIVE	Moderate: sudo security update	2016-12-06 16:06:44 UTC

Description Tomas Hoger 2016-10-14 13:41:49 UTC

The sudo allows the use of NOEXEC tag it its configuration to define that program executed via sudo can not execute any other commands.  This restriction is implemented via dynamic library which is preloaded for the executed program and which implements wrappers for various exec functions.

It was discovered that the wrapping of exec functions is insufficient to block command execution via glibc APIs that internally call one of the exec functions - system() or popen() (see CVE-2016-7032 tracked via bug 1372830), and wordexp (CVE-2016-7076, tracked via this bug).

This issue was originally tracked under single CVE via bug 1372830, but the CVE assignment was split because of different versions in which problems for system()/popen() and wordexp() were fixed.

The noexec bypass using wordexp() is being fixed in 1.8.18p1 (see bug 1372830 comment 11):

* Wrapper for wordexp() was added to sudo_noexec.so which forces the use of WRDE_NOCMD flag in wordexp().

https://www.sudo.ws/repos/sudo/rev/e7d09243e51b
https://www.sudo.ws/repos/sudo/rev/7b8357b0a358
https://www.sudo.ws/repos/sudo/rev/167a518d8129

NEWS file entry:

 * When sudo_noexec.so is used, the WRDE_NOCMD flag is now added
   if the wordexp() function is called.  This prevents commands
   from being run via wordexp() without disabling it entirely.

Comment 1 Tomas Hoger 2016-10-14 13:41:55 UTC

Acknowledgments:

Name: Florian Weimer (Red Hat)

Comment 3 Tomas Hoger 2016-10-14 13:57:23 UTC

Fixed now in 1.8.18p1:

https://www.sudo.ws/stable.html#1.8.18p1

Comment 4 Tomas Hoger 2016-10-27 18:04:48 UTC

Public now via upstream advisory.

External References:

https://www.sudo.ws/alerts/noexec_wordexp.html

Comment 5 Tomas Hoger 2016-10-27 18:05:36 UTC

Created sudo tracking bugs for this issue:

Affects: fedora-all [bug 1389496]

Comment 10 errata-xmlrpc 2016-12-06 11:07:06 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2016:2872 https://rhn.redhat.com/errata/RHSA-2016-2872.html

Note You need to log in before you can comment on or make changes to this bug.