Bash scripts run via Sudo can be subverted

Summary:

A flaw in exists in sudo's environment sanitizing prior to sudo version 1.6.8p2 that could allow a malicious user with permission to run a shell script that utilized the bash shell to run arbitrary commands. The /bin/sh shell on most (if not all) Linux systems is bash.

Sudo versions affected:

All versions prior to 1.6.8p2.

CVE ID:

This vulnerability has been assigned CVE-2004-1051 in the Common Vulnerabilities and Exposures database.

Details:

When it starts up, bash searches the environment for variables with a value beginning with "()". For each environment variables that matches, a function with the same name as the corresponding variable is created (with the function body filled in from the environment variable's value).

A malicious user with sudo access to a shell script that uses bash can use this feature to substitute arbitrary commands for any non-fully qualified programs called from the script.

Impact:

Exploitation of the bug requires that the bash shell be installed on the machine and that users be granted sudo access to run scripts written in bash. On most (if not all) Linux systems, /bin/sh is bash so /bin/sh scripts are affected by this as well.

Fix:

The bug is fixed in sudo 1.6.8p2.

Workaround:

The administrator can add a line to the sudoers file:
Defaults	env_reset
that will reset the environment to only contain the variables HOME, LOGNAME, PATH, SHELL, TERM, and USER, preventing this attack.

Credit:

This problem was brought to my attention by Liam Helmer.