rpms/sudo
6
0
Fork 0
Code Issues Pull Requests Releases Activity
c10
sudo/cve-2025-32462.patch

110 lines
3.3 KiB
Diff
Raw Permalink Blame History

# Local Privilege Escalation via host option
Sudo's host (`-h` or `--host`) option is intended to be used in
conjunction with the list option (`-l` or `--list`) to list a user's
sudo privileges on a host other than the current one. However, due
to a bug it was not restricted to listing privileges and could be
used when running a command via `sudo` or editing a file with
`sudoedit`. Depending on the rules present in the sudoers file
this could allow a local privilege escalation attack.
## Sudo versions affected:
Sudo versions 1.8.8 to 1.9.17 inclusive are affected.
## CVE ID:
This vulnerability has been assigned
[CVE-2025-32462](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32462)
in the [Common Vulnerabilities and Exposures](https://cve.mitre.org/) database.
## Details:
The intent of sudo's `-h` (`--host`) option is to make it possible
to list a user's sudo privileges for a host other than the current
one. It was only intended be used with in conjunction with the
`-l` (`--list`) option.
The bug effectively makes the hostname portion of a sudoers rule
irrelevant since the user can set the host to be used when evaluating
the rules themselves. A user must still be listed in the sudoers
file, but they do not needed to have an entry for the current host.
For example, given the sudoers rule:
``` plain
alice cerebus = ALL
```
user __alice__ would be able to run `sudo -h cerebus id` on any host,
not just _cerebus_. For example:
``` plain
alice@hades$ sudo -l
Sorry, user alice may not run sudo on hades.
alice@hades$ sudo -l -h cerebus
User alice may run the following commands on cerebus:
(root) ALL
alice@hades$ sudo -h cerebus id
uid=0(root) gid=0(root) groups=0(root)
```
## Impact:
Sudoers files that include rules where the host field is not the
current host or _ALL_ are affected. This primarily affects sites
that use a common sudoers file that is distributed to multiple
machines. Sites that use LDAP-based sudoers (including SSSD) are
similarly impacted.
For example, a sudoers rule such as:
``` plain
bob ALL = ALL
```
is not affected since the host _ALL_ already matches any hosts,
but a rule like:
``` plain
alice cerebus = ALL
```
could allow user __alice__ to run any command even if the current
host is not _cerebus_.
## Fix:
The bug is fixed in sudo 1.9.17p1.
## Credit:
Thanks to Rich Mirch from Stratascale Cyber Research Unit (CRU) for
reporting and analyzing the bug.
diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
index 70a0c1a52..ad2fa2f61 100644
--- a/plugins/sudoers/sudoers.c
+++ b/plugins/sudoers/sudoers.c
@@ -350,6 +350,18 @@ sudoers_check_common(struct sudoers_context *ctx, int pwflag)
time_t now;
debug_decl(sudoers_check_common, SUDOERS_DEBUG_PLUGIN);
+ /* The user may only specify a host for "sudo -l". */
+ if (!ISSET(ctx->mode, MODE_LIST|MODE_CHECK)) {
+ if (strcmp(ctx->runas.host, ctx->user.host) != 0) {
+ log_warningx(ctx, SLOG_NO_STDERR|SLOG_AUDIT,
+ N_("user not allowed to set remote host for command"));
+ sudo_warnx("%s",
+ U_("a remote host may only be specified when listing privileges."));
+ ret = false;
+ goto done;
+ }
+ }
+
/* If given the -P option, set the "preserve_groups" flag. */
if (ISSET(ctx->mode, MODE_PRESERVE_GROUPS))
def_preserve_groups = true;
Reference in New Issue View Git Blame Copy Permalink