FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

sudo -- Secure path vulnerability

Affected packages
sudo < 1.7.2.7

Details

VuXML ID d42e5b66-6ea0-11df-9c8d-00e0815b8da8
Discovery 2010-06-02
Entry 2010-06-02

Todd Miller reports:

Most versions of the C library function getenv() return the first instance of an environment variable to the caller. However, some programs, notably the GNU Bourne Again SHell (bash), do their own environment parsing and may choose the last instance of a variable rather than the first one.

An attacker may manipulate the environment of the process that executes Sudo such that a second PATH variable is present. When Sudo runs a bash script, it is this second PATH variable that is used by bash, regardless of whether or not Sudo has overwritten the first instance of PATH. This may allow an attacker to subvert the program being run under Sudo and execute commands he/she would not otherwise be allowed to run.

References

CVE Name CVE-2010-1646
URL http://sudo.ws/sudo/alerts/secure_path.html