CVE-2023-42456: sudo-rs Session File Relative Path Traversal vulnerability
An issue was discovered where usernames containing the . and / characters could result in the corruption of specific files on the filesystem. As usernames are generally not limited by the characters they can contain, a username appearing to be a relative path can be constructed. For example we could add a user to the system containing the username ../../../../bin/cp. When logged in as a user with that name, that user could run sudo -K to clear their session record file. The session code then constructs the path to the session file by concatenating the username to the session file storage directory, resulting in a resolved path of /bin/cp. The code then clears that file, resulting in the cp binary effectively being removed from the system.
An attacker needs to be able to login as a user with a constructed username. Given that such a username is unlikely to exist on an existing system, they will also need to be able to create the users with the constructed usernames.
References
- ferrous-systems.com/blog/sudo-rs-audit
- github.com/advisories/GHSA-2r3c-m6v7-9354
- github.com/memorysafety/sudo-rs
- github.com/memorysafety/sudo-rs/commit/bfdbda22968e3de43fa8246cab1681cfd5d5493d
- github.com/memorysafety/sudo-rs/security/advisories/GHSA-2r3c-m6v7-9354
- nvd.nist.gov/vuln/detail/CVE-2023-42456
- rustsec.org/advisories/RUSTSEC-2023-0069.html
Detect and mitigate CVE-2023-42456 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →