(OpenBSD Issues Fix for 2.9 and 3.x) Sudo Utility Has Heap Overflow That May Let Local Users Execute Arbitrary Code with Root Privileges
|
|
SecurityTracker Alert ID: 1004166
|
|
CVE Reference: CVE-2002-0184
(Links to External Site)
|
Updated: Nov 19 2003
|
Original Entry Date: Apr 26 2002
|
Impact: Execution of arbitrary code via local system, Root access via local system
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 1.6.5p2 and prior
|
Description: A vulnerability has been reported in the sudo utility. A local user may be able to obtain root privileges.
Global InterSec reported an off-by-five heap overflow in 'sudo'. A local user can apparently call sudo with a specially formatted
argument for the -p command line option to trigger the overflow. It is reported that sudo may not correctly allocate memory when
parsing the '%h' (hostname) or '%u' (username) strings in the argument in some situations. A local user could potentially trigger
the overflow and execute arbitrary code with root privileges.
The exact nature of the conditions required to exploit this flaw
were not provided. However, it is reported that the compile-time options and the length of the hostname may affect whether the
application is vulnerable or not.
|
Impact: A local user may be able to execute arbitrary code with root privileges in certain situations.
|
Solution: OpenBSD has released patches:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/025_sudo.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/020_sudo.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/002_sudo.patch
|
Vendor URL: www.courtesan.com/sudo/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: UNIX (OpenBSD)
|
Underlying OS Comments: 2.9, 3.0, 3.1
|
Reported By: "Todd C. Miller" <Todd.Miller@courtesan.com>
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Thu, 25 Apr 2002 22:54:27 -0600
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Subject: Potential sudo security hole
|
Summary:
A heap corruption bug exists in sudo versions 1.5.7 to 1.6.5p2
(inclusive). The problem affects expansion of the "%h" and
"%u" escape sequences in the prompt. Due to a bug it is possible
to craft a prompt such that more bytes are written than have
been allocated.
Exploiting heap corruption bugs like this requires fairly
in-depth knowledge of a system's malloc internals. This class
of bug has been exploited with the glibc malloc but not, to my
knowledge, with the malloc shipped with OpenBSD. It would be
foolish, however, to simply assume that it is not exploitable
on OpenBSD.
Details:
Sudo expands "%h" and "%u" to the hostname and username
respectively. This is done in two steps. In the first step
sudo calculates the amount of memory required to hold the
expanded string. In the second step it does the actual string
copying and escape sequence expansion. The bug occurs because
a variable used to store the last character seen was not
re-initialized before the second loop. Consequently, if the
last character in the prompt is a '%' and the first character
is a 'h' or 'u', sudo will mistakenly expand the 'h' or 'u',
thinking the last character processed was a '%'. This causes
the computed length to be too small and the malloced buffer
will overflow.
Credit:
This problem was brought to my attention by Global InterSec LLC.
For more information, see their advisory:
http://www.globalintersec.com/adv/sudo-2002041701.txt
Patches:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/025_sudo.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/020_sudo.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/002_sudo.patch
The patches are already in the 2.9, 3.0 and 3.1 patch branches
(aka the -stable branches).
|
|
