CVE-2010-1163 in sudo
Summary
by MITRE
The command matching functionality in sudo 1.6.8 through 1.7.2p5 does not properly handle when a file in the current working directory has the same name as a pseudo-command in the sudoers file and the PATH contains an entry for ".", which allows local users to execute arbitrary commands via a Trojan horse executable, as demonstrated using sudoedit, a different vulnerability than CVE-2010-0426.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/26/2025
The vulnerability described in CVE-2010-1163 represents a critical privilege escalation flaw within the sudo command execution mechanism that affected versions 1.6.8 through 1.7.2p5. This security issue stems from improper command resolution logic when sudo processes commands that match both regular executables and pseudo-commands defined in sudoers configuration files. The flaw specifically manifests when a user's current working directory contains an executable file with the same name as a pseudo-command such as sudoedit, and when the PATH environment variable includes a "." entry that represents the current directory. This particular configuration creates a dangerous ambiguity in command resolution that attackers can exploit to execute unauthorized code with elevated privileges.
The technical root cause of this vulnerability lies in the sudo command's command matching algorithm which fails to properly distinguish between actual system commands and pseudo-commands defined in the sudoers configuration. When a user invokes a command like sudoedit, sudo first checks if the command name matches any pseudo-commands defined in the sudoers file. However, when the PATH variable contains ".", sudo also searches the current working directory for an executable with the matching name. This dual search mechanism creates a race condition and privilege escalation vector where a malicious user can place a Trojan horse executable in their current working directory with the same name as a sudo pseudo-command. The system will execute the local executable instead of the intended system command, allowing arbitrary code execution with the privileges of the target user.
The operational impact of this vulnerability extends beyond simple privilege escalation to represent a significant threat to system integrity and security posture. Attackers can leverage this flaw to execute arbitrary commands as any user with sudo permissions, potentially compromising entire systems or networks. The vulnerability is particularly dangerous because it requires minimal user interaction and can be exploited through normal sudo usage patterns. The attack vector is stealthy since it relies on legitimate sudo functionality and does not require special privileges or complex exploitation techniques. This makes the vulnerability particularly attractive to attackers seeking persistent access or system compromise, as it can be triggered through routine administrative activities such as file editing operations using sudoedit.
The security implications of CVE-2010-1163 align with CWE-284, which addresses improper access control, and can be mapped to ATT&CK technique T1068, which covers "Exploitation for Privilege Escalation." Organizations affected by this vulnerability should immediately implement mitigations including updating to sudo versions 1.7.3 or later where this issue has been resolved. The primary mitigation strategy involves removing "." from the PATH environment variable for sudo operations or ensuring that sudoers configuration files properly handle command resolution. Additionally, system administrators should audit sudoers configurations to eliminate ambiguous command definitions and implement proper file permissions on directories where sudo commands are executed. The vulnerability demonstrates the importance of proper command resolution and privilege handling in security-critical applications, emphasizing that even well-established tools like sudo require careful attention to edge cases and security implications in their implementation.