SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Sudo Vendors:   Miller, Todd C.
Sudo Utility Has Heap Overflow That May Let Local Users Execute Arbitrary Code with Root Privileges
SecurityTracker Alert ID:  1004152
SecurityTracker URL:  http://securitytracker.com/id/1004152
CVE Reference:   CVE-2002-0184   (Links to External Site)
Updated:  Nov 19 2003
Original Entry Date:  Apr 25 2002
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.6.5p2 and prior
Description:   A vulnerability has been reported in the sudo utility. A local user may be able to obtain root privileges.

Global InterSec reported an off-by-five heap overflow in 'sudo'. A local user can apparently call sudo with a specially formatted argument for the -p command line option to trigger the overflow. It is reported that sudo may not correctly allocate memory when parsing the '%h' (hostname) or '%u' (username) strings in the argument in some situations. A local user could potentially trigger the overflow and execute arbitrary code with root privileges.

The exact nature of the conditions required to exploit this flaw were not provided. However, it is reported that the compile-time options and the length of the hostname may affect whether the application is vulnerable or not.

Impact:   A local user may be able to execute arbitrary code with root privileges in certain situations.
Solution:   The vendor has reportedly issued a patch for version 1.6.5p2, available at:

http://www.globalintersec.com/adv/files/sudo-1.6.5p3.patch

As a workaround, the author of the report suggests removing the suid bit from the sudo binary and removing any entries in /etc/sudoers.

Vendor URL:  www.courtesan.com/sudo/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Vendor Issues Fix) Re: Sudo Utility Has Heap Overflow That May Let Local Users Execute Arbitrary Code with Root Privileges
The vendor has issued a fix.
(OpenBSD Issues Patch for 3.x) Re: Sudo Utility Has Heap Overflow That May Let Local Users Execute Arbitrary Code with Root Privileges
OpenBSD has issued patches for sudo.
(Debian Issues Fix) Sudo Utility Has Heap Overflow That May Let Local Users Execute Arbitrary Code with Root Privileges
The vendor has released a fix.
(Red Hat Issues Fix for Red Hat Powertools 6.2) Sudo Utility Has Heap Overflow That May Let Local Users Execute Arbitrary Code with Root Privileges
The vendor has released a fix for Red Hat Powertools 6.2.
(Red Hat Issues Fix) Sudo Utility Has Heap Overflow That May Let Local Users Execute Arbitrary Code with Root Privileges
The vendor has released a fix.
(Mandrake Issues Fix) Sudo Utility Has Heap Overflow That May Let Local Users Execute Arbitrary Code with Root Privileges
The vendor has released a fix.
(OpenBSD Issues Fix for 2.9 and 3.x) Sudo Utility Has Heap Overflow That May Let Local Users Execute Arbitrary Code with Root Privileges
OpenBSD has released a fix.
(Slackware Issues Fix) Re: Sudo Utility Has Heap Overflow That May Let Local Users Execute Arbitrary Code with Root Privileges
A fix has been issued for Slackware.
(Conectiva Issues Fix) Sudo Utility Has Heap Overflow That May Let Local Users Execute Arbitrary Code with Root Privileges
Conectiva has released a fix.
(EnGarde Issues Fix) Sudo Utility Has Heap Overflow That May Let Local Users Execute Arbitrary Code with Root Privileges
The vendor has released a fix for EnGarde Secure Linux.
(Trustix Issues Fix) Sudo Utility Has Heap Overflow That May Let Local Users Execute Arbitrary Code with Root Privileges
The vendor has released a fix for Trustix Secure Linux.
(SuSE Issues Fix) Sudo Utility Has Heap Overflow That May Let Local Users Execute Arbitrary Code with Root Privileges
SuSE has released a fix.
(Apple Issues Fix) Re: Sudo Utility Has Heap Overflow That May Let Local Users Execute Arbitrary Code with Root Privileges
Apple has issued a fix for Mac OS X.



 Source Message Contents

Subject:  [Global InterSec 2002041701] Sudo Password Prompt


Global InterSec LLC
http://www.globalintersec.com

GIS Advisory ID: 2002041701
Changed: 25/04/2002
Author: research@globalintersec.com
Reference: http://www.globalintersec.com/adv/sudo-2002041701.txt

Summary:

    Sudo - A popular utility for allowing users to execute
    commands as other users contains a vulnerability which
    may be exploited to execute arbitrary commands.

Impact:

    A local user may gain root access through corruption of
    the heap (Off-By-Five).

Versions Tested To Be Vulnerable:

	1.6.5p2
	1.6.4
	1.6.3p7	(SuSE 7.1 Update, RedHat 7.2)
	1.6.3	(SuSE 7.1)
	1.6.2

Description:

   Sudo, an open source utility shipped with many linux
   distributions enables the super user to grant non
   root users permission to execute commands as other
   users (including root). Access to sudo is normally
   regulated via /etc/sudoers.

   One of the functions of sudo enables users to specify
   the password prompt given when challenged for their
   password to 'sudo'. On parsing this parameter (-p) to
   sudo, a user may also specify characters which expand
   to either the hostname (%h) or the username (%u).
   On the reception of these expansion characters, sudo
   will malloc() memory for the string the argument to -p
   will form.

   Unfortunately it is possible to trick sudo into allocating
   less memory than it should for the prompt.
   Under certain conditions it is possible to exploit this
   bug to corrupt the heap in a way in which could be used
   to execute arbitrary commands.

   Because of the nature of sudo, it is installed by default
   as suid() root and therefore could be used to escalate
   normal user privileges to that of the root user, taking
   into account the restrictions noted below.

Scope for attack:

   As noted above, this vulnerability could be used to escalate
   user privileges to that of the super user.
   However, for this to happen several factors must be considered.

   -  The options which sudo were compiled with may determine
      if it is exploitable or not. In our tests we used binaries
      compiled with PAM support, which we found to be exploitable.
      Many distributions of linux ship with PAM enabled builds of
      sudo.

      Distributions shipping PAM enabled sudo binaries include
      those of SuSE and RedHat.

   -  The length of the hostname on the system a vulnerable
      binary is on is a critical factor in the way in which
      the bug is exploited.

Work around:

   Remove the suid bit from the sudo binary and remove any
   entries in /etc/sudoers.

Credit:

   This vulnerability was originally discovered by fc,
   a GIS affiliate. Research and vendor coordination
   were carried out by the Global InterSec research
   division, under Tom Parker.

   Please email research@globalintersec.com for more
   information.

   Thanks also to Todd Miller, the sudo maintainer for
   responding so quickly to our email.


Vendor Solutions:

	A patch for version 1.6.5p2 is available at:
	http://www.globalintersec.com/adv/files/sudo-1.6.5p3.patch
	
	Both the Sudo maintainer and Vendors shipping vulnerable
  	versions of sudo have been notified well in advance of the
	release date. A list of advisories by individual vendors will
	be appended to this advisory as they become available.
	
	The most recent copy of this advisory is available at the
	"Reference" URL noted in the header of this advisory.

Proof of Concept, Semi-Technical Details:

   When sudo is called with the -p parameter, expand_prompt()
   is called to check for and  expand any special characters
   parsed as arguments to -p (%h or %u).

   expand_prompt will then calculate space for the expanded
   prompt and malloc() the calculated amount.
   On miscalculation of the required space, the place in
   which sudo break will depend on:

   - The string used to cause sudo to miscalculate
     the required space and the length which any
     expansion character(s) expand to.
   - The compilation options sudo was built with.

   These factors therefore have a direct influence on how the
   bug is to be exploited, if at all.

   In the case of a string 'h%h%' being parsed to the -p
   option, miscalculation of the prompt length occurs due
   to the first h in our string being treated as an %h
   and the last character still having the value of % where
   it should of been given the value '\0' if *lastchar had
   been re-initialised correctly.

   In the example below we used a system who's hostname was 7
   bytes long. Because of the length of the hostname, we were
   able to trigger the vulnerability, but without causing a
   SEGV, before we were able to write additional data into
   memory for sudo to read into.

   In the case of a system with a hostname over 8 bytes, you
   may find that the expansion of the hostname has written
   so far into memory that sudo segfaults before additional
   memory can be written via the password prompt.

   In this case an alternative method would be needed to write
   into memory so that relevant registers are corrupted.
   This could possibly be in parameters to -p or in the environment
   variable 'SUDO_PROMPT' (which -p overrides).

   user@defiant:~/research/sudo/dist/sudo-1.6.5p2 > gdb sudo

   GNU gdb 5.0
   Copyright 2000 Free Software Foundation, Inc.

   (gdb) r -p h%h% -s
   Starting program: /research/sudo/dist/sudo-1.6.5p2/sudo -p h%h% -s

   Sorry, try again.

   Program received signal SIGSEGV, Segmentation fault.
   0x400d49c1 in chunk_alloc () from /lib/libc.so.6
   (gdb) i r $edi
    edi            0xdeadbeef       -559038737
   (gdb)

   Note that %ecx and %edx were also within our reach.

   Our example used a sudo 1.6.5p2 binary with --with-pam enabled
   at build time.

   The off-by-five condition still occurs when sudo is compiled
   without PAM as we can see from the following example, using
   a slightly modified version of sudo.

   user@defiant:~/research/sudo/dist/sudo-1.6.5p2 > ./sudo -p h%h% -s
   Allocating 9 bytes for prompt: efiantdefiant% (14 bytes long)
   efiantdefiant%
   Sorry, try again.
   efiantdefiant%
   ^C
   ./sudo: 1 incorrect password attempt
   user@defiant:~/research/sudo/dist/sudo-1.6.5p2 >

   To this end - sudo without pam support (or any other configuration)
   must be considered vulnerable as alternative ways to cause functions
   in sudo to read into corrupted areas of memory and gain flow control
   of sudo (other than the pam functions) may exist.

   Please see: http://www.phrack.org/show.php?p=57&a=8 for more information
   on exploiting this type of vulnerability,.

Legal:

    This advisory is the intellectual property of Global InterSec LLC
    but may be freely distributed with the conditions that:

    a) No fee is charged
    b) Appropriate credit is given.

(c) Global InterSec LLC 2002 

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC