CVE-2005-4158

sudo < 1.6.8p12 - Local Perl Library Path Injection via Uncleared Environment Variables

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2005-4158. PoCs published by Breno Silva Pinto, Charles Morris.

AI-analyzed exploit summary This exploit leverages a Python environment variable manipulation vulnerability in Sudo to escalate privileges to root. By hijacking the `socket.py` module and modifying the `close()` function, an attacker can execute arbitrary commands with elevated privileges.

Description

Sudo before 1.6.8 p12, when the Perl taint flag is off, does not clear the (1) PERLLIB, (2) PERL5LIB, and (3) PERL5OPT environment variables, which allows limited local users to cause a Perl script to include and execute arbitrary library files that have the same name as library files that are included by the script.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Breno Silva Pinto · pythonlocallinux
https://www.exploit-db.com/exploits/27057

This exploit leverages a Python environment variable manipulation vulnerability in Sudo to escalate privileges to root. By hijacking the `socket.py` module and modifying the `close()` function, an attacker can execute arbitrary commands with elevated privileges.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Sudo < 1.6.8p10
Auth required
Prerequisites: Local access to a system with vulnerable Sudo version · Ability to run Python scripts via Sudo · Write access to a directory to place malicious `socket.py`
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Breno Silva Pinto · perllocallinux
https://www.exploit-db.com/exploits/27056

This exploit leverages a security-bypass vulnerability in Sudo (versions < 1.6.8p12) by manipulating environment variables (PERLLIB and PERL5OPT) to execute arbitrary code with elevated privileges. The attacker creates a malicious Perl module (FTP.pm) that spawns a root shell when loaded by a Perl script executed via Sudo.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Sudo < 1.6.8p12
Auth required
Prerequisites: Local access to the system · Ability to run Perl scripts via Sudo · Sudo configuration allowing execution of the target script
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Charles Morris · textlocallinux
https://www.exploit-db.com/exploits/26498

This exploit leverages a security-bypass vulnerability in Sudo (versions < 1.6.8p12) by manipulating the 'PERLLIB', 'PERL5LIB', and 'PERL5OPT' environment variables to execute arbitrary code with root privileges. The attacker creates a malicious Perl module (FTP.pm) that spawns a shell when loaded, then executes a Perl script via Sudo to trigger the payload.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Sudo < 1.6.8p12
Auth required
Prerequisites: Ability to run Perl scripts via Sudo · Write access to a directory to place the malicious Perl module
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (19)

Core 19
Core References
Vendor Advisory vendor-advisory x_refsource_mandrake
http://www.mandriva.com/security/advisories?name=MDKSA-2005:234
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDKSA-2006:159
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/18549
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/23102
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/18558
Vendor Advisory vendor-advisory x_refsource_trustix
http://www.trustix.org/errata/2006/0002/
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/18463
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/18308
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2005/2386
Exploit, Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/15394
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/18156
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/18102
Vendor Advisory vendor-advisory x_refsource_ubuntu
https://www.ubuntu.com/usn/usn-235-1/
Vendor Advisory vendor-advisory x_refsource_suse
http://www.novell.com/linux/security/advisories/2006_02_sr.html
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2006/dsa-946
Patch vdb-entry x_refsource_sectrack
http://securitytracker.com/alerts/2005/Nov/1015192.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21692
Patch, Vendor Advisory x_refsource_confirm
http://www.sudo.ws/sudo/alerts/perl_env.html
Patch, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/17534/

Scores

EPSS 0.0108
EPSS Percentile 60.7%

Details

Status published
Products (30)
todd_miller/sudo 1.5.6
todd_miller/sudo 1.5.7
todd_miller/sudo 1.5.8
todd_miller/sudo 1.5.9
todd_miller/sudo 1.6
todd_miller/sudo 1.6.1
todd_miller/sudo 1.6.2
todd_miller/sudo 1.6.3
todd_miller/sudo 1.6.3_p1
todd_miller/sudo 1.6.3_p2
... and 20 more
Published Dec 11, 2005
Tracked Since Feb 18, 2026