-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi!
eInstruction sells, among others, electronic whiteboards. They also provide Linux software for these, including a user land driver of sorts called Workspace. If the installation of that software succeeds, it will change /etc/sudoers to add the following two lines: ALL ALL=(ALL) NOPASSWD : /opt/eInstruction/DeviceManager/jre/bin/java -Djava.library.path\=. -classpath ./dm.jar\:./*\:./axis2-1.5/* einstruction.dm.ui.Main Defaults env_keep += "DISPLAY XAUTHORITY XAUTHLOCALHOSTNAME" The problem here is that the first command allows anyone to run pretty much anything as root: simply place a dm.jar in the current directory before executing the named command, and the named class inside it will get executed. The intention is of course to run the shipped jar with full privileges, but the command does not check the current working directory or use an absolute path. I've informed developers of this issue on 2013-12-07, in their problem report #51647. I included a statement of my plans to disclose this issue, but unfortunately forgot to actually do so. 2014-04-22 got the first response: "I will pass this information to along to our developers". Apparently no progress since then. I guess a manual fix would be replacing all relative paths by absolute ones. Not sure how secure the java code itself is, but the sudo problem should be avoidable that way. Greetings, Martin von Gagern -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlNzwEIACgkQRhp6o4m9dFu7wgCfePQEKvizjypyiiDc7/xb3P9A WhwAnA1qQWs9W6fwo/grjTzgbEq5wpA1 =jpCp -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
