Open Source Forge - www.osforge.com [ Global InterSec Advisory: sudo ]

Root
Contribute News
Learning Corner
Linux Distributions
Linux Common FAQ's
Discussion Forums
Community Gallery
Links Directory
Search OSForge

Networking
Industry Updates
Linux & Open Source
Opinions
Press Release
Programming
Security
Web Development
White Paper

Open-Xchange to Deliver Collaboration Solution Integrated With Parallels Automation

OpenKM - Document Mangement announces version 2.0

SugarCRM Manages End-to-End SaaS Offering with Zenoss

Linux Foundation’s Annual Collaboration Summit Kicks Off

Engine Yard Kicks Off Hackfest Series for Ruby Developers

Plat'Home Launches First Linux-based Eco-Friendly Servers In United States

World’s Largest Python Conference Sees 70 Percent Jump in Attendance

Leading SaaS Infrastructure Provider Deploys Zenoss to Improve Uptime and Reduce Cost

JasperSoft is Most Widely-Deployed Business Intelligence Software in the World

View More �

Global InterSec Advisory: sudo

By : Eric Lim [www]

on Security
Friday the 26th, April 2002 at 01:09 AM (EDT)

Readers TalkBack (0) - 630 Reads

Printable format
Foward to Email

Global InterSec Advisory: sudo

Global InterSec LLC
http://www.globalintersec.com

GIS Advisory ID: 2002041701
Changed: 25/04/2002
Author: research@globalintersec.com
Reference: http://www.globalintersec.com/adv/sudo-2002041701.txt

Summary:

    Sudo - A popular utility for allowing users to execute
    commands as other users contains a vulnerability which
    may be exploited to execute arbitrary commands.

Impact:

    A local user may gain root access through corruption of
    the heap (Off-By-Five).

Versions Tested To Be Vulnerable:

        1.6.5p2
        1.6.4
        1.6.3p7 (SuSE 7.1 Update, RedHat 7.2)
        1.6.3   (SuSE 7.1)
        1.6.2

Description:

   Sudo, an open source utility shipped with many linux
   distributions enables the super user to grant non
   root users permission to execute commands as other
   users (including root). Access to sudo is normally
   regulated via /etc/sudoers.

   One of the functions of sudo enables users to specify
   the password prompt given when challenged for their
   password to 'sudo'. On parsing this parameter (-p) to
   sudo, a user may also specify characters which expand
   to either the hostname (%h) or the username (%u).
   On the reception of these expansion characters, sudo
   will malloc() memory for the string the argument to -p
   will form.

   Unfortunately it is possible to trick sudo into allocating
   less memory than it should for the prompt.
   Under certain conditions it is possible to exploit this
   bug to corrupt the heap in a way in which could be used
   to execute arbitrary commands.

   Because of the nature of sudo, it is installed by default
   as suid() root and therefore could be used to escalate
   normal user privileges to that of the root user, taking
   into account the restrictions noted below.

Scope for attack:

   As noted above, this vulnerability could be used to escalate
   user privileges to that of the super user.
   However, for this to happen several factors must be considered.

   - The options which sudo were compiled with may determine
      if it is exploitable or not. In our tests we used binaries
      compiled with PAM support, which we found to be exploitable.
      Many distributions of linux ship with PAM enabled builds of
      sudo.

      Distributions shipping PAM enabled sudo binaries include
      those of SuSE and RedHat.

   - The length of the hostname on the system a vulnerable
      binary is on is a critical factor in the way in which
      the bug is exploited.

Work around:

   Remove the suid bit from the sudo binary and remove any
   entries in /etc/sudoers.

Credit:

   This vulnerability was originally discovered by fc,
   a GIS affiliate. Research and vendor coordination
   were carried out by the Global InterSec research
   division, under Tom Parker.

   Please email research@globalintersec.com for more
   information.

   Thanks also to Todd Miller, the sudo maintainer for
   responding so quickly to our email.

Vendor Solutions:

        A patch for version 1.6.5p2 is available at:
        http://www.globalintersec.com/adv/files/sudo-1.6.5p3.patch

        Both the Sudo maintainer and Vendors shipping vulnerable
        versions of sudo have been notified well in advance of the
        release date. A list of advisories by individual vendors will
        be appended to this advisory as they become available.

        The most recent copy of this advisory is available at the
        "Reference" URL noted in the header of this advisory.

Proof of Concept, Semi-Technical Details:

   When sudo is called with the -p parameter, expand_prompt()
   is called to check for and expand any special characters
   parsed as arguments to -p (%h or %u).

   expand_prompt will then calculate space for the expanded
   prompt and malloc() the calculated amount.
   On miscalculation of the required space, the place in
   which sudo break will depend on:

   - The string used to cause sudo to miscalculate
     the required space and the length which any
     expansion character(s) expand to.
   - The compilation options sudo was built with.

   These factors therefore have a direct influence on how the
   bug is to be exploited, if at all.

   In the case of a string 'h%h%' being parsed to the -p
   option, miscalculation of the prompt length occurs due
   to the first h in our string being treated as an %h
   and the last character still having the value of % where
   it should of been given the value '

Reader Rating from 1-5

Talkback

Post Your Talkback | View All Talkback (0 Posted)

Currently there are no Talkback posted on "Global InterSec Advisory: sudo", Click here to be the first to post a talkback.


About \| Term of Use \| Privacy \| Contact us \| Tell a Friend \| Advertise	OSForge News RSS Feed