sudo-rs Allows Low Privilege Users to Discover the Existence of Files in Inaccessible Folders

A vulnerability in sudo-rs, a memory-safe implementation of sudo and su written in Rust, allows local users with no or very limited sudo privileges to determine whether specific files exist in directories they cannot otherwise access. The bug resides in the sudo --list command, which returns different error messages depending on whether the specified file exists, even when the user lacks read or execute permissions on the containing directory [2][4].

To exploit this, a local attacker simply runs sudo --list with a target path. If the file does not exist, the tool returns a "command not found" error; if the file exists, the user receives a message stating they are not permitted to run the command. No authentication or elevation is required beyond minimal sudo-rs access, making the attack trivial for any user with a local shell [4]. The issue affects all versions prior to 0.2.6.

The impact is information disclosure: an attacker can map file existence in protected folders, potentially revealing sensitive file names that hint at system configuration, monitoring scripts, or secret data. This information can also be combined with other attack vectors, such as race conditions or privilege escalation attempts [2].

Version 0.2.6 fixes the vulnerability by altering the behavior of --list to perform additional checking before reporting errors, ensuring that the existence of a file is not leaked through differing response messages [3]. Users should update to 0.2.6 or later; the advisory notes that the original sudo exhibited similar behavior in some configurations [4].