26th Sep 2002 [SBWID-5312]
COMMAND
sudo local heap overflow
SYSTEMS AFFECTED
Sudo 1.6.5p2, 1.6.4, 1.6.3p7, 1.6.3, 1.6.2
PROBLEM
In Global InterSec LLC [http://www.globalintersec.com] advisory [ID:
2002041701] :
--snipp--
When sudo is called with the -p parameter, expand_prompt() is called to
check for and expand any special characters parsed as arguments to -p
(%h or %u).
expand_prompt will then calculate space for the expanded prompt and
malloc() the calculated amount. On miscalculation of the required
space, the place in which sudo break will depend on:
- The string used to cause sudo to miscalculate
the required space and the length which any
expansion character(s) expand to.
- The compilation options sudo was built with.
These factors therefore have a direct influence on how the bug is to be
exploited, if at all.
In the case of a string 'h%h%' being parsed to the -p option,
miscalculation of the prompt length occurs due to the first h in our
string being treated as an %h and the last character still having the
value of % where it should of been given the value '\0' if *lastchar
had been re-initialised correctly.
In the example below we used a system who's hostname was 7 bytes long.
Because of the length of the hostname, we were able to trigger the
vulnerability, but without causing a SEGV, before we were able to write
additional data into memory for sudo to read into.
In the case of a system with a hostname over 8 bytes, you may find that
the expansion of the hostname has written so far into memory that sudo
segfaults before additional memory can be written via the password
prompt.
In this case an alternative method would be needed to write into memory
so that relevant registers are corrupted. This could possibly be in
parameters to -p or in the environment variable 'SUDO_PROMPT' (which -p
overrides).
user@defiant:~/research/sudo/dist/sudo-1.6.5p2 > gdb sudo
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
(gdb) r -p h%h% -s
Starting program: /research/sudo/dist/sudo-1.6.5p2/sudo -p h%h% -s
efiantdefian=A1 <4 Bytes>\xef\xbe\xad\xde\<84 Bytes> # Password Challenge
Sorry, try again.
Program received signal SIGSEGV, Segmentation fault.
0x400d49c1 in chunk_alloc () from /lib/libc.so.6
(gdb) i r $edi
edi 0xdeadbeef -559038737
(gdb)
Note that %ecx and %edx were also within our reach.
Our example used a sudo 1.6.5p2 binary with --with-pam enabled at build
time.
The off-by-five condition still occurs when sudo is compiled without
PAM as we can see from the following example, using a slightly modified
version of sudo.
user@defiant:~/research/sudo/dist/sudo-1.6.5p2 > ./sudo -p h%h% -s
Allocating 9 bytes for prompt: efiantdefiant% (14 bytes long)
efiantdefiant%
Sorry, try again.
efiantdefiant%
^C
./sudo: 1 incorrect password attempt
user@defiant:~/research/sudo/dist/sudo-1.6.5p2 >
To this end - sudo without pam support (or any other configuration)
must be considered vulnerable as alternative ways to cause functions in
sudo to read into corrupted areas of memory and gain flow control of
sudo (other than the pam functions) may exist.
--snapp--
SOLUTION
Get sudo 1.6.6
ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz
http://www.sudo.ws/sudo/dist/