Re: hole in sudo for MP-RAS.

[cschuber () uumail gov bc ca (Cy Schubert - ITSD Open Systems Group)]

> As this seems to only affect that one OS, I'm not sure I would call
> it a bug in sudo.  When this was reported for 1.5.2 I took a look
> but couldn't find any way to reproduce it (and I don't have access
> to the OS in question).

I've been able to reproduce the exploit using cu-sudo 1.5.3 under DEC UNIX
4.0B and FreeBSD 2.2.5.  After looking at the code the bug can be exploited on
any platform.

Here is a patch to fix the problem, assuming your operating system of choice
supports realpath(3).  *BSD, Linux, Solaris, SunOS, DEC UNIX, AIX, and DG/UX
should have no problem with this patch.

diff -ur sudo.v1.5.3.orig/find_path.c sudo.v1.5.3/find_path.c
--- sudo.v1.5.3.orig/find_path.c        Wed Nov 13 18:37:22 1996
+++ sudo.v1.5.3/find_path.c     Mon Jan 12 17:55:43 1998
@@ -118,7 +118,11 @@
      * the error is "not found" -- this way we get the correct error.
      */
     if (strchr(file, '/')) {
-       (void) strcpy(command, file);
+       if (realpath(file, command) == NULL) {
+           (void) fprintf(stderr, "%s: %s", Argv[0], file);
+           perror("");
+           exit(1);
+       }
        if (sudo_goodpath(command)) {
            return(command);
        } else {

>  - todd



Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
UNIX Support                   OV/VM:  BCSC02(CSCHUBER)
ITSD                          BITNET:  CSCHUBER@BCSC02.BITNET
Government of BC            Internet:  cschuber () uumail gov bc ca
                                       Cy.Schubert () gems8 gov bc ca

                "Quit spooling around, JES do it."