Date: Mon, 30 Jan 2012 10:37:08 -0500 From: Jason Hellenthal <jhell@DataIX.net> To: ports@freebsd.org Cc: wxs@freebsd.org Subject: [joernchen@phenoelit.de: [Full-disclosure] Advisory: sudo 1.8 Format String Vulnerability] Message-ID: <20120130153708.GA35684@DataIX.net>
next in thread | raw e-mail | index | archive | help
Please update this port. ----- Forwarded message from joernchen of Phenoelit <joernchen@phenoelit.de> ----- Date: Mon, 30 Jan 2012 14:56:26 +0100 From: joernchen of Phenoelit <joernchen@phenoelit.de> To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com Subject: [Full-disclosure] Advisory: sudo 1.8 Format String Vulnerability User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20111224 Thunderbird/9.0.1 Hi, FYI, see attached. cheers, joernchen -- joernchen ~ Phenoelit <joernchen@phenoelit.de> ~ C776 3F67 7B95 03BF 5344 http://www.phenoelit.de ~ A46A 7199 8B7B 756A F5AC Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 +--++> [ Authors ] joernchen <joernchen () phenoelit de> Phenoelit Group (http://www.phenoelit.de) [ Affected Products ] sudo 1.8.0 - 1.8.3p1 (http://sudo.ws) [ Vendor communication ] 2012-01-24 Send vulnerability details to sudo maintainer 2012-01-24 Maintainer is embarrased 2012-01-27 Asking maintainer how the fixing goes 2012-01-27 Maintainer responds with a patch and a release date of 2012-01-30 for the patched sudo and advisory 2012-01-30 Release of this advisory [ Description ] Observe src/sudo.c: void sudo_debug(int level, const char *fmt, ...) { va_list ap; char *fmt2; if (level > debug_level) return; /* Backet fmt with program name and a newline to make it a single write */ easprintf(&fmt2, "%s: %s\n", getprogname(), fmt); va_start(ap, fmt); vfprintf(stderr, fmt2, ap); va_end(ap); efree(fmt2); } Here getprogname() is argv[0] and by this user controlled. So argv[0] goes to fmt2 which then gets vfprintf()ed to stderr. The result is a Format String vulnerability. [ Example ] /tmp $ ln -s /usr/bin/sudo %n /tmp $ ./%n -D9 *** %n in writable segment detected *** Aborted /tmp $ A note regarding exploitability: The above example shows the result of FORTIFY_SOURCE which makes explotitation painful but not impossible (see [0]). Without FORTIFY_SOURCE the exploit is straight forward: 1. Use formatstring to overwrite the setuid() call with setgid() 2. Trigger with formatstring -D9 3. Make use of SUDO_ASKPASS and have shellcode in askpass script 4. As askpass will be called after the formatstring has overwritten setuid() the askepass script will run with uid 0 5. Enjoy the rootshell [ Solution ] Update to version 1.8.3.p2 [ References ] [0] http://www.phrack.org/issues.html?issue=67&id=9 [ end of file ] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ----- End forwarded message ----- -- ;s =;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120130153708.GA35684>