ID CVE-2005-4158
Summary Sudo before 1.6.8 p12, when the Perl taint flag is off, does not clear the (1) PERLLIB, (2) PERL5LIB, and (3) PERL5OPT environment variables, which allows limited local users to cause a Perl script to include and execute arbitrary library files that have the same name as library files that are included by the script.
References
Vulnerable Configurations
  • cpe:2.3:a:todd_miller:sudo:1.5.6
    cpe:2.3:a:todd_miller:sudo:1.5.6
  • cpe:2.3:a:todd_miller:sudo:1.5.7
    cpe:2.3:a:todd_miller:sudo:1.5.7
  • cpe:2.3:a:todd_miller:sudo:1.5.8
    cpe:2.3:a:todd_miller:sudo:1.5.8
  • cpe:2.3:a:todd_miller:sudo:1.5.9
    cpe:2.3:a:todd_miller:sudo:1.5.9
  • Todd Miller Sudo 1.6
    cpe:2.3:a:todd_miller:sudo:1.6
  • Todd Miller Sudo 1.6.1
    cpe:2.3:a:todd_miller:sudo:1.6.1
  • Todd Miller Sudo 1.6.2
    cpe:2.3:a:todd_miller:sudo:1.6.2
  • Todd Miller Sudo 1.6.3
    cpe:2.3:a:todd_miller:sudo:1.6.3
  • cpe:2.3:a:todd_miller:sudo:1.6.3_p1
    cpe:2.3:a:todd_miller:sudo:1.6.3_p1
  • cpe:2.3:a:todd_miller:sudo:1.6.3_p2
    cpe:2.3:a:todd_miller:sudo:1.6.3_p2
  • cpe:2.3:a:todd_miller:sudo:1.6.3_p3
    cpe:2.3:a:todd_miller:sudo:1.6.3_p3
  • cpe:2.3:a:todd_miller:sudo:1.6.3_p4
    cpe:2.3:a:todd_miller:sudo:1.6.3_p4
  • cpe:2.3:a:todd_miller:sudo:1.6.3_p5
    cpe:2.3:a:todd_miller:sudo:1.6.3_p5
  • cpe:2.3:a:todd_miller:sudo:1.6.3_p6
    cpe:2.3:a:todd_miller:sudo:1.6.3_p6
  • Todd Miller Sudo 1.6.3 p7
    cpe:2.3:a:todd_miller:sudo:1.6.3_p7
  • Todd Miller Sudo 1.6.4
    cpe:2.3:a:todd_miller:sudo:1.6.4
  • cpe:2.3:a:todd_miller:sudo:1.6.4_p1
    cpe:2.3:a:todd_miller:sudo:1.6.4_p1
  • cpe:2.3:a:todd_miller:sudo:1.6.4_p2
    cpe:2.3:a:todd_miller:sudo:1.6.4_p2
  • Todd Miller Sudo 1.6.5
    cpe:2.3:a:todd_miller:sudo:1.6.5
  • cpe:2.3:a:todd_miller:sudo:1.6.5_p1
    cpe:2.3:a:todd_miller:sudo:1.6.5_p1
  • cpe:2.3:a:todd_miller:sudo:1.6.5_p2
    cpe:2.3:a:todd_miller:sudo:1.6.5_p2
  • Todd Miller Sudo 1.6.6
    cpe:2.3:a:todd_miller:sudo:1.6.6
  • Todd Miller Sudo 1.6.7
    cpe:2.3:a:todd_miller:sudo:1.6.7
  • cpe:2.3:a:todd_miller:sudo:1.6.7_p5
    cpe:2.3:a:todd_miller:sudo:1.6.7_p5
  • Todd Miller Sudo 1.6.8
    cpe:2.3:a:todd_miller:sudo:1.6.8
  • cpe:2.3:a:todd_miller:sudo:1.6.8_p1
    cpe:2.3:a:todd_miller:sudo:1.6.8_p1
  • cpe:2.3:a:todd_miller:sudo:1.6.8_p5
    cpe:2.3:a:todd_miller:sudo:1.6.8_p5
  • cpe:2.3:a:todd_miller:sudo:1.6.8_p7
    cpe:2.3:a:todd_miller:sudo:1.6.8_p7
  • cpe:2.3:a:todd_miller:sudo:1.6.8_p8
    cpe:2.3:a:todd_miller:sudo:1.6.8_p8
  • cpe:2.3:a:todd_miller:sudo:1.6.8_p9
    cpe:2.3:a:todd_miller:sudo:1.6.8_p9
CVSS
Base: 4.6 (as of 12-12-2005 - 18:32)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
  • description Sudo 1.6.x Environment Variable Handling Security Bypass Vulnerability (1). CVE-2005-4158. Local exploit for linux platform
    id EDB-ID:27056
    last seen 2016-02-03
    modified 2006-01-09
    published 2006-01-09
    reporter Breno Silva Pinto
    source https://www.exploit-db.com/download/27056/
    title Sudo 1.6.x Environment Variable Handling Security Bypass Vulnerability 1
  • description Sudo 1.6.x Environment Variable Handling Security Bypass Vulnerability (2). CVE-2005-4158. Local exploit for linux platform
    id EDB-ID:27057
    last seen 2016-02-03
    modified 2006-01-09
    published 2006-01-09
    reporter Breno Silva Pinto
    source https://www.exploit-db.com/download/27057/
    title Sudo 1.6.x Environment Variable Handling Security Bypass Vulnerability 2
  • description Sudo Perl 1.6.x Environment Variable Handling Security Bypass Vulnerability. CVE-2005-4158. Local exploit for linux platform
    id EDB-ID:26498
    last seen 2016-02-03
    modified 2005-11-11
    published 2005-11-11
    reporter Charles Morris
    source https://www.exploit-db.com/download/26498/
    title Sudo Perl 1.6.x Environment Variable Handling Security Bypass Vulnerability
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-946.NASL
    description The former correction to vulnerabilities in the sudo package worked fine but were too strict for some environments. Therefore we have reviewed the changes again and allowed some environment variables to go back into the privileged execution environment. Hence, this update. The configuration option 'env_reset' is now activated by default. It will preserve only the environment variables HOME, LOGNAME, PATH, SHELL, TERM, DISPLAY, XAUTHORITY, XAUTHORIZATION, LANG, LANGUAGE, LC_*, and USER in addition to the separate SUDO_* variables. For completeness please find below the original advisory text : It has been discovered that sudo, a privileged program, that provides limited super user privileges to specific users, passes several environment variables to the program that runs with elevated privileges. In the case of include paths (e.g. for Perl, Python, Ruby or other scripting languages) this can cause arbitrary code to be executed as privileged user if the attacker points to a manipulated version of a system library. This update alters the former behaviour of sudo and limits the number of supported environment variables to LC_*, LANG, LANGUAGE and TERM. Additional variables are only passed through when set as env_check in /etc/sudoers, which might be required for some scripts to continue to work.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 22812
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22812
    title Debian DSA-946-2 : sudo - missing input sanitising
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-235-1.NASL
    description Charles Morris discovered a privilege escalation vulnerability in sudo. On executing Perl scripts with sudo, various environment variables that affect Perl's library search path were not cleaned properly. If sudo is set up to grant limited sudo execution of Perl scripts to normal users, this could be exploited to run arbitrary commands as the target user. This security update also filters out environment variables that can be exploited similarly with Python, Ruby, and zsh scripts. Please note that this does not affect the default Ubuntu installation, or any setup that just grants full root privileges to certain users. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-05-26
    plugin id 20779
    published 2006-01-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20779
    title Ubuntu 4.10 / 5.04 / 5.10 : sudo vulnerability (USN-235-1)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-159.NASL
    description Previous sudo updates were made available to sanitize certain environment variables from affecting a sudo call, such as PYTHONINSPECT, PERL5OPT, etc. While those updates were effective in addressing those specific environment variables, other variables that were not blacklisted were being made available. Debian addressed this issue by forcing sudo to use a whitlist approach in DSA-946-2 by arbitrarily making env_reset the default (as opposed to having to be enabled in /etc/sudoers). Mandriva has opted to follow the same approach so now only certain variables are, by default, made available, such as HOME, LOGNAME, SHELL, TERM, DISPLAY, XAUTHORITY, XAUTHORIZATION, LANG, LANGUAGE, LC_*, and USER, as well as the SUDO_* variables. If other variables are required to be kept, this can be done by editing /etc/sudoers and using the env_keep option, such as : Defaults env_keep='FOO BAR' As well, the Corporate 3 packages are now compiled with the SECURE_PATH setting. Updated packages are patched to address this issue.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 23903
    published 2006-12-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23903
    title Mandrake Linux Security Advisory : sudo (MDKSA-2006:159)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2005-234.NASL
    description Charles Morris discovered a vulnerability in sudo versions prior to 1.6.8p12 where, when the perl taint flag is off, sudo does not clear the PERLLIB, PERL5LIB, and PERL5OPT environment variables, which could allow limited local users to cause a perl script to include and execute arbitrary library files that have the same name as library files that included by the script. In addition, other environment variables have been included in the patch that remove similar environment variables that could be used in python and ruby, scripts, among others. The updated packages have been patched to correct this problem.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 20465
    published 2006-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20465
    title Mandrake Linux Security Advisory : sudo (MDKSA-2005:234)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-235-2.NASL
    description USN-235-1 fixed a vulnerability in sudo's handling of environment variables. Tavis Ormandy noticed that sudo did not filter out the PYTHONINSPECT environment variable, so that users with the limited privilege of calling a python script with sudo could still escalate their privileges. For reference, this is the original advisory : Charles Morris discovered a privilege escalation vulnerability in sudo. On executing Perl scripts with sudo, various environment variables that affect Perl's library search path were not cleaned properly. If sudo is set up to grant limited sudo execution of Perl scripts to normal users, this could be exploited to run arbitrary commands as the target user. This security update also filters out environment variables that can be exploited similarly with Python, Ruby, and zsh scripts. Please note that this does not affect the default Ubuntu installation, or any setup that just grants full root privileges to certain users. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-05-26
    plugin id 20780
    published 2006-01-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20780
    title Ubuntu 4.10 / 5.04 / 5.10 : sudo vulnerability (USN-235-2)
refmap via4
bid 15394
confirm http://www.sudo.ws/sudo/alerts/perl_env.html
debian DSA-946
mandrake MDKSA-2005:234
mandriva MDKSA-2006:159
sectrack 1015192
secunia
  • 17534
  • 18102
  • 18156
  • 18308
  • 18463
  • 18549
  • 18558
  • 21692
suse SUSE-SR:2006:002
trustix 2006-0002
ubuntu USN-235-1
vupen ADV-2005-2386
xf sudo-perl-execute-code(23102)
statements via4
contributor Mark J Cox
lastmodified 2008-01-24
organization Red Hat
statement We do not consider this to be a security issue. http:bugzilla.redhat.combugzillashow_bug.cgi?id=139478#c1
Last major update 19-02-2017 - 00:10
Published 10-12-2005 - 21:03
Last modified 19-07-2017 - 21:29
Back to Top