SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Sudo Vendors:   sudo.ws
Sudo Format String Bug Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1026600
SecurityTracker URL:  http://securitytracker.com/id/1026600
CVE Reference:   CVE 2012-0809   (Links to External Site)
Date:  Jan 30 2012
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.8.0 - 1.8.3p1
Description:   A vulnerability was reported in Sudo. A local user can obtain elevated privileges on the target system.

A local user can supply a specially crafted command line argument to trigger a format string flaw and execute arbitrary commands on the target system with root privileges.

The vulnerability resides in the sudo_debug() function in 'src/sudo.c'.

This can be exploited by local users, regardless of whether they are listed in the sudoers file.

The vendor was notified on January 24, 2012.

joernchen of Phenoelit Advisory reported this vulnerability.

Impact:   A local user can obtain root privileges on the target system.
Solution:   The vendor has issued a fix (1.8.3.p2).

The vendor's advisory is available at:

http://www.sudo.ws/sudo/alerts/sudo_debug.html

Vendor URL:  www.sudo.ws/sudo/alerts/sudo_debug.html (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:   Linux (Any)

Message History:   None.


 Source Message Contents

Date:  Mon, 30 Jan 2012 14:56:26 +0100
Subject:  Advisory: sudo 1.8 Format String Vulnerability


--Boundary_(ID_NQTSMnjGVwgRRlFQu/82vQ)
Content-type: text/plain; CHARSET=US-ASCII
Content-transfer-encoding: 7BIT

Hi,

FYI, see attached.

cheers,

joernchen
-- 
joernchen ~ Phenoelit
<joernchen@phenoelit.de> ~ C776 3F67 7B95 03BF 5344
http://www.phenoelit.de  ~ A46A 7199 8B7B 756A F5AC

--Boundary_(ID_NQTSMnjGVwgRRlFQu/82vQ)
Content-type: text/plain; name=advisory_sudo.txt
Content-transfer-encoding: 7BIT
Content-disposition: attachment; filename=advisory_sudo.txt

Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 +--++>

[ Authors ]
        joernchen       <joernchen () phenoelit de>

        Phenoelit Group (http://www.phenoelit.de)

[ Affected Products ]
        sudo 1.8.0 - 1.8.3p1 (http://sudo.ws)

[ Vendor communication ]
        2012-01-24 Send vulnerability details to sudo maintainer
        2012-01-24 Maintainer is embarrased
        2012-01-27 Asking maintainer how the fixing goes
        2012-01-27 Maintainer responds with a patch and a release date
                   of 2012-01-30 for the patched sudo and advisory
        2012-01-30 Release of this advisory

[ Description ]

        Observe src/sudo.c:

void
sudo_debug(int level, const char *fmt, ...)
{
    va_list ap;
    char *fmt2;

    if (level > debug_level)
        return;

    /* Backet fmt with program name and a newline to make it a single 
    write */
    easprintf(&fmt2, "%s: %s\n", getprogname(), fmt);
    va_start(ap, fmt);
    vfprintf(stderr, fmt2, ap);
    va_end(ap);
    efree(fmt2);
}

        Here getprogname() is argv[0] and by this user controlled. So 
        argv[0] goes to fmt2 which then gets vfprintf()ed to stderr. The
        result is a Format String vulnerability.   

[ Example ]
        /tmp $ ln -s /usr/bin/sudo %n
        /tmp $ ./%n -D9
        *** %n in writable segment detected ***
        Aborted
        /tmp $

       A note regarding exploitability: The above example shows the result
       of FORTIFY_SOURCE which makes explotitation painful but not 
       impossible (see [0]). Without FORTIFY_SOURCE the exploit is straight
       forward:
         1. Use formatstring to overwrite the setuid() call with setgid()
         2. Trigger with formatstring -D9 
         3. Make use of SUDO_ASKPASS and have shellcode in askpass script
         4. As askpass will be called after the formatstring has 
            overwritten setuid() the askepass script will run with uid 0
         5. Enjoy the rootshell
 
[ Solution ]
        Update to version 1.8.3.p2 

[ References ]
        [0] http://www.phrack.org/issues.html?issue=67&id=9

[ end of file ]

--Boundary_(ID_NQTSMnjGVwgRRlFQu/82vQ)--
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC