Summary
Users with no (or very limited) sudo privileges can determine whether files exists in folders that they otherwise cannot access using sudo --list <pathname>.
PoC
As root:
# mkdir /tmp/foo
# chmod a-rwx /tmp/foo
# touch /tmp/foo/secret_file
As a user without any (or limited) sudo rights:
$ sudo --list /tmp/foo/nonexistent_file
sudo-rs: '/tmp/foo/nonexistent_file': command not found
$ $ sudo --list /tmp/foo/secret_file
sudo-rs: Sorry, user eve may not run sudo on host.
I.e. the user can distinguish whether files exist.
Related
Original sudo (vulnerable version tested by us: 1.9.15p5) exhibited similar behaviour for files with the executable bit set.
Impact
Users with local access to a machine can discover the existence/non-existence of certain files, revealing potentially sensitive information in the file names. This information can also be used in conjunction with other attacks.
Credits
This issue was identified by sudo-rs developer Marc Schoolderman
Summary
Users with no (or very limited) sudo privileges can determine whether files exists in folders that they otherwise cannot access using
sudo --list <pathname>.PoC
As root:
As a user without any (or limited) sudo rights:
I.e. the user can distinguish whether files exist.
Related
Original sudo (vulnerable version tested by us: 1.9.15p5) exhibited similar behaviour for files with the executable bit set.
Impact
Users with local access to a machine can discover the existence/non-existence of certain files, revealing potentially sensitive information in the file names. This information can also be used in conjunction with other attacks.
Credits
This issue was identified by sudo-rs developer Marc Schoolderman