|
Vulnerability Development
mailing list archives
research on recent Sudo overflows wanted
From: KF <dotslash () snosoft com>
Date: Tue, 05 Jun 2001 14:54:12 -0400
alight I have been researching the recent sudo overflow abit and I need
some help...
Red Hat, Inc. Red Hat Security Advisory
Synopsis: Updated sudo packages fixing buffer overrun available
Advisory ID: RHSA-2001:019-02
Issue date: 2001-02-23
Updated on: 2001-03-21
...
An overrunnable buffer exists in sudo versions prior to 1.6.3p6
The code splitting a log entry into smaller chunks contained an
overrunnable buffer. Carefully constructed long commands could lead to
execution of code as root. There is no known exploit at this time.
My research notes are below...does anyone have ideas for the
exploitation of this hole?
* Two main functions, log_error() to log errors and log_auth() to
* log allow/deny messages.
File: logging.h
# define MAXSYSLOGLEN 960
File: logging.c
/*
* Log a message to syslog, pre-pending the username and splitting the
* message into parts if it is longer than MAXSYSLOGLEN.
/*
* Log the full line, breaking into multiple syslog(3) calls if
necessary
*/
for (p = msg, count = 0; count < strlen(msg) / MAXSYSLOGLEN + 1;
count++) {
if (strlen(p) > MAXSYSLOGLEN) {
/*
* Break up the line into what will fit on one syslog(3)
line
* Try to break on a word boundary if possible.
*/
for (tmp = p + MAXSYSLOGLEN; tmp > p && *tmp != ' '; tmp--)
;
if (tmp <= p)
tmp = p + MAXSYSLOGLEN;
/* NULL terminate line, but save the char to restore later
*/
save = *tmp;
... more core
blah blah more stuff then this is where it pukes
easprintf(&logline, "%sTTY=%s ; PWD=%s ; USER=%s ;
COMMAND=%s%s%s",
message, user_tty, user_cwd, *user_runas, user_cmnd,
user_args ? " " : "", user_args ? user_args : "");
sooooooo lets get old version of sudo and compile
[root () linux sudo-1.6.3p5]# ./configure --with-logging=syslog
as root test it out
[root () linux d0tslash]# sudo su `perl -e 'print "A" x 4948'`
Segmentation fault
as a User in sudoers:
[d0tslash () linux d0tslash]$ /usr/local/bin/sudo su `perl -e 'print "A" x
4948'`
Password:
Segmentation fault
as a user Not in sudoers:
sh-2.04$ id
uid=99(nobody) gid=99(nobody) groups=99(nobody)
sh-2.04$ /usr/local/bin/sudo su `perl -e 'print "A" x 4948'`
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these two things:
#1) Respect the privacy of others.
#2) Think before you type.
Password:
Sorry, try again.
Password:
/usr/local/bin/sudo: 1 incorrect password attempt
Segmentation fault
sh-2.04$
ok lets break out gdb
[root () linux sudo-1.6.3p5]# gdb sudo
GNU gdb 5.0mdk-11mdk Linux-Mandrake 8.0
(gdb) run ls `perl -e 'print "A" x 4948'`
Starting program: /home/d0tslash/sudo-1.6.3p5/sudo ls `perl -e 'print
"A"
x 4948'`
Program received signal SIGSEGV, Segmentation fault.
0x0804ae71 in do_syslog (pri=5,
msg=0x806a4a8 "TTY=pts/1 ; PWD=/home/d0tslash/sudo-1.6.3p5 ;
USER=root
; COMMAND=/bin/ls ", 'A' <repeats 126 times>...) at logging.c:138
138 for (p = tmp; *p != ' '; p++)
(gdb) bt
#0 0x0804ae71 in do_syslog (pri=5,
msg=0x806a4a8 "TTY=pts/1 ; PWD=/home/d0tslash/sudo-1.6.3p5 ;
USER=root
; COMMAND=/bin/ls ", 'A' <repeats 126 times>...) at logging.c:138
#1 0x0804b370 in log_auth (status=2, inform_user=1) at logging.c:302
#2 0x0804c61a in main (argc=3, argv=0xbfffe4dc) at sudo.c:334
#3 0x4006d0de in __libc_start_main () from /lib/libc.so.6
Ideas please... I can't seem to hit the eip or overwrite anything.
-KF
 By Date 
By Thread
Current thread:
- research on recent Sudo overflows wanted KF (Jun 05)
|
Intro
