------------------------------------------------------------------------ BCSA 010 Badly Coded, Inc. Security Advisory September 25th, 2017 ------------------------------------------------------------------------ BCSA-010: Incomplete recognition of sudo mode allows privilege escalation Affected versions: 1.1 and earlier Fixed versions: 1.2 and later BCVI's sister executable sudobcvi runs with root privileges in order to allow more flexible configuration of file editing permissions via /etc/sudobcvi.conf. Thus, when running as sudobcvi, BCVI needs to perform additional permissions checks to limit the commands that a user may run and the files that may be edited. Versions of BCVI up through 1.1 determined whether to run in sudobcvi mode based on the name of the executable as passed to the program in argv[0]. However, this mode of recognizing sudobcvi execution is unreliable, because the name of the executing binary can be controlled by an untrusted user, for instance via a symlink or by changing the arguments in the exec-family system call. Versions 1.2 and later have supplemented this check with a comparison of the process's real and effective UIDs to provide a more reliable detection of setuid operation. We would like to acknowledge a number of students from the University of Minnesota's Computer Science and Engineering 5271 course who reported this vulnerability. Version 1.2 of BCVI also contains some additional changes that were recommended to us in the course of a third-party security audit. For instance, as a defense in depth, we have further limited the filter programs that may be used with the ":%!" filtering command. And we have replaced a use of the Curses mvgetstr() function with mvgetnstr() to allow an input length limit to be specified. All BCVI users are recommended to upgrade at their earliest convenience.