CVE-2004-1689

sudo 1.6.8 - Arbitrary File Read via sudoedit Symlink Attack

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2004-1689. PoCs published by Angelo Rosiello.

AI-analyzed exploit summary This exploit leverages a race condition in sudoedit (sudo 1.6.8) to create a symlink to a target file (e.g., /etc/shadow) while sudoedit is running, allowing unauthorized read access. The attacker must execute the exploit while the victim has sudoedit open on a specific file.

Description

sudoedit (aka sudo -e) in sudo 1.6.8 opens a temporary file with root privileges, which allows local users to read arbitrary files via a symlink attack on the temporary file before quitting sudoedit.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Angelo Rosiello · clocallinux

https://www.exploit-db.com/exploits/470

View Code ZIP pw:eip

This exploit leverages a race condition in sudoedit (sudo 1.6.8) to create a symlink to a target file (e.g., /etc/shadow) while sudoedit is running, allowing unauthorized read access. The attacker must execute the exploit while the victim has sudoedit open on a specific file.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Racy

Target: sudo 1.6.8

Auth required

Prerequisites: sudoedit must be running on a file named 'rosiello' · Attacker must have write access to /usr/tmp

MITRE ATT&CK