high
7
CWE
284
Advisory Published
CVE Published
Updated

CVE-2016-7032

First published: Fri Sep 02 2016(Updated: )

Florian Weimer of Red Hat reports: the sudoers manual page says this: EXEC and NOEXEC If sudo has been compiled with noexec support and the underly‐ ing operating system supports it, the NOEXEC tag can be used to prevent a dynamically-linked executable from running further commands itself. In the following example, user aaron may run /usr/bin/more and /usr/bin/vi but shell escapes will be disabled. aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi And: To enable noexec for a command, use the NOEXEC tag as documented in the User Specification section above. Here is that example again: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi This allows user aaron to run /usr/bin/more and /usr/bin/vi with noexec enabled. This will prevent those two commands from executing other commands (such as a shell). If you are unsure whether or not your system is capable of supporting noexec you can always just try it out and check whether shell escapes work when noexec is enabled. However, the filtering DSO does not intercept all glibc functions which allow to spawn a shell. At least popen, system, and wordexp are missing: Show quoted text 0000000000000c80 T execl 0000000000000cc0 T _execl 0000000000000d00 T __execl 0000000000000d40 T execle 0000000000000d80 T _execle 0000000000000dc0 T __execle 0000000000000e00 T execlp 0000000000000e40 T _execlp 0000000000000e80 T __execlp 0000000000000ec0 T exect 0000000000000f00 T _exect 0000000000000f40 T __exect 0000000000000f80 T execv 0000000000000fc0 T _execv 0000000000001000 T __execv 00000000000011c0 T execve 0000000000001200 T _execve 0000000000001240 T __execve 0000000000001040 T execvp 0000000000001080 T _execvp 00000000000010c0 T __execvp 0000000000001100 T execvP 0000000000001140 T _execvP 0000000000001180 T __execvP 0000000000001280 T execvpe 00000000000012c0 T _execvpe 0000000000001300 T __execvpe 0000000000001340 T fexecve 0000000000001380 T _fexecve 00000000000013c0 T __fexecve 0000000000001480 T __posix_spawn 0000000000001440 T _posix_spawn 0000000000001400 T posix_spawn 0000000000001540 T __posix_spawnp 0000000000001500 T _posix_spawnp 00000000000014c0 T posix_spawnp The source file src/sudo_noexec.c contains this comment: /* * Dummy versions of the execve() family of syscalls. We don't need * to stub out all of them, just the ones that correspond to actual * system calls (which varies by OS). Note that it is still possible * to access the real syscalls via the syscall() interface but very * few programs actually do that. */ This is wrong. Interposing execve does not override internal calls to execve within glibc. The right fix is to set a seccomp filter which blocks execve in the DSO (after enabling PR_SET_NO_NEW_PRIVS), rather than attempting to play catch-up with glibc.

Credit: secalert@redhat.com secalert@redhat.com

Affected SoftwareAffected VersionHow to fix
Todd Miller Sudo=1.6.8
Todd Miller Sudo=1.6.9
Todd Miller Sudo=1.7.0
Todd Miller Sudo=1.7.1
Todd Miller Sudo=1.7.2
Todd Miller Sudo=1.7.3
Todd Miller Sudo=1.7.4
Todd Miller Sudo=1.7.5
Todd Miller Sudo=1.7.6
Todd Miller Sudo=1.7.7
Todd Miller Sudo=1.7.8
Todd Miller Sudo=1.7.9
Todd Miller Sudo=1.7.10
Todd Miller Sudo=1.8.0
Todd Miller Sudo=1.8.1
Todd Miller Sudo=1.8.2
Todd Miller Sudo=1.8.3
Todd Miller Sudo=1.8.4
Todd Miller Sudo=1.8.5
Todd Miller Sudo=1.8.6
Todd Miller Sudo=1.8.7
Todd Miller Sudo=1.8.8
Todd Miller Sudo=1.8.9
Todd Miller Sudo=1.8.10
Todd Miller Sudo=1.8.11
Todd Miller Sudo=1.8.12
Todd Miller Sudo=1.8.13
Todd Miller Sudo=1.8.14-p3
redhat/sudo<1.8.15
1.8.15
debian/sudo
1.9.5p2-3+deb11u1
1.9.13p3-1+deb12u1
1.9.16p1-1

Remedy

https://www.sudo.ws/repos/sudo/rev/58a5c06b5257

Remedy

https://www.sudo.ws/repos/sudo/rev/a826cd7787e9

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is CVE-2016-7032?

    CVE-2016-7032 is a vulnerability in Sudo before 1.8.15 on Linux that allows local users to bypass intended noexec command restrictions.

  • How does the sudo_noexec.so vulnerability work?

    The sudo_noexec.so vulnerability allows local users to bypass the intended noexec command restrictions by using an application that calls the system or popen function.

  • How severe is CVE-2016-7032?

    CVE-2016-7032 has a severity rating of high (7 out of 10).

  • Which versions of Sudo are affected by CVE-2016-7032?

    Sudo versions before 1.8.15 on Linux are affected by CVE-2016-7032.

  • Where can I find more information about CVE-2016-7032?

    You can find more information about CVE-2016-7032 on the following references: [1] [2] [3].

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203