<<< Date Index >>>     <<< Thread Index >>>

Re: [security@xxxxxxx] [XNUXER-SECURITY] Root Privilige Escalation in Sudo version 1.6.8p7 without Password, SuSE 9.3



I checked this on my RedHat Linux 9 box running sudo v 1.6.6. It
didn't effect it any...


On 5/31/05, Marcus Meissner <meissner@xxxxxxx> wrote:
> On Tue, May 31, 2005 at 01:02:22PM +0700, Xnuxer Security wrote:
> > Today, 31 May 2005, I found error with root privilige escalation in
> > Sudo version 1.6.8p7 that package installed with SuSE 9.3. Testing in
> > my machine, sudo appear not check is true when I press CTRL + C with
> > blank password and giving status SID as root privilige to SID user. I
> > got successful as root without need a password but only use blank
> > password and press CTRL + C. Please check my testing below in my SuSE
> > 9.3 box:
> >
> > client@mysuse:~> cat /etc/issue
> >
> > Welcome to SuSE Linux 9.3 (i586) - Kernel \r (\l).
> >
> >
> > client@mysuse:~> id
> > uid=1000(client) gid=100(users) groups=16(dialout),33(video),100(users)
> > client@mysuse:~> uname -a
> > Linux mysuse 2.6.11.4-20a-default #1 Wed Mar 23 21:52:37 UTC 2005 i686
> > i686 i386 GNU/Linux
> > client@mysuse:~> sudo -V
> > Sudo version 1.6.8p7
> > client@mysuse:~> sudo su
> > Password:                         <---- fake password and press ENTER
> > Sorry, try again.
> > Password:                          <---- blank password and press CTRL + C
> > mysuse:/home/client #
> > mysuse:/home/client # uname -a; id; uptime
> > Linux mysuse 2.6.11.4-20a-default #1 Wed Mar 23 21:52:37 UTC 2005 i686
> > i686 i386 GNU/Linux
> > uid=0(root) gid=0(root) groups=0(root)
> >  12:29pm  up   2:45,  3 users,  load average: 0.14, 0.29, 0.45
> > mysuse:/home/client #
> >
> > Other sudo version is not check yet, about affect in other distro of
> > linux not check too but possible vulnerable, please check it. SuSE
> > Security still contacted by me.
> 
> I cannot reproduce this in the default installation of sudo in SUSE Linux
> 9.3.
> 
> Did you adapt the sudo config file in some way?
> 
> What exactly do you mean with "blank password" ? Empty? Or a number
> of spaces?
> 
> Ciao, Marcus
> 
> 
>