Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   Sudo Vendors:
Sudo Format String Bug Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1026600
SecurityTracker URL:
CVE Reference:   CVE 2012-0809   (Links to External Site)
Date:  Jan 30 2012
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.8.0 - 1.8.3p1
Description:   A vulnerability was reported in Sudo. A local user can obtain elevated privileges on the target system.

A local user can supply a specially crafted command line argument to trigger a format string flaw and execute arbitrary commands on the target system with root privileges.

The vulnerability resides in the sudo_debug() function in 'src/sudo.c'.

This can be exploited by local users, regardless of whether they are listed in the sudoers file.

The vendor was notified on January 24, 2012.

joernchen of Phenoelit Advisory reported this vulnerability.

Impact:   A local user can obtain root privileges on the target system.
Solution:   The vendor has issued a fix (1.8.3.p2).

The vendor's advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any)

Message History:   None.

 Source Message Contents

Subject:  Advisory: sudo 1.8 Format String Vulnerability

Content-type: text/plain; CHARSET=US-ASCII
Content-transfer-encoding: 7BIT


FYI, see attached.


joernchen ~ Phenoelit
<> ~ C776 3F67 7B95 03BF 5344  ~ A46A 7199 8B7B 756A F5AC

Content-type: text/plain; name=advisory_sudo.txt
Content-transfer-encoding: 7BIT
Content-disposition: attachment; filename=advisory_sudo.txt

Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 +--++>

[ Authors ]
        joernchen       <joernchen () phenoelit de>

        Phenoelit Group (

[ Affected Products ]
        sudo 1.8.0 - 1.8.3p1 (

[ Vendor communication ]
        2012-01-24 Send vulnerability details to sudo maintainer
        2012-01-24 Maintainer is embarrased
        2012-01-27 Asking maintainer how the fixing goes
        2012-01-27 Maintainer responds with a patch and a release date
                   of 2012-01-30 for the patched sudo and advisory
        2012-01-30 Release of this advisory

[ Description ]

        Observe src/sudo.c:

sudo_debug(int level, const char *fmt, ...)
    va_list ap;
    char *fmt2;

    if (level > debug_level)

    /* Backet fmt with program name and a newline to make it a single 
    write */
    easprintf(&fmt2, "%s: %s\n", getprogname(), fmt);
    va_start(ap, fmt);
    vfprintf(stderr, fmt2, ap);

        Here getprogname() is argv[0] and by this user controlled. So 
        argv[0] goes to fmt2 which then gets vfprintf()ed to stderr. The
        result is a Format String vulnerability.   

[ Example ]
        /tmp $ ln -s /usr/bin/sudo %n
        /tmp $ ./%n -D9
        *** %n in writable segment detected ***
        /tmp $

       A note regarding exploitability: The above example shows the result
       of FORTIFY_SOURCE which makes explotitation painful but not 
       impossible (see [0]). Without FORTIFY_SOURCE the exploit is straight
         1. Use formatstring to overwrite the setuid() call with setgid()
         2. Trigger with formatstring -D9 
         3. Make use of SUDO_ASKPASS and have shellcode in askpass script
         4. As askpass will be called after the formatstring has 
            overwritten setuid() the askepass script will run with uid 0
         5. Enjoy the rootshell
[ Solution ]
        Update to version 1.8.3.p2 

[ References ]

[ end of file ]


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, LLC