[19359] in bugtraq
Re: Sudo version 1.6.3p6 now available (fwd)
daemon@ATHENA.MIT.EDU (chris@RITC.CO.UK)
Mon Feb 26 15:04:37 2001
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.21.0102231915120.15513-100000@cartman.ritc.co.uk>
Date: Fri, 23 Feb 2001 19:22:43 +0000
Reply-To: chris@RITC.CO.UK
From: chris@RITC.CO.UK
X-To: Gossi The Dog <gossi@OWNED.LAB6.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.33.0102230052050.8092-100000@owned.lab6.com>
Hi,
I was rather surprised that Mr. Miller released this without crediting me
for discovering the bug (even though it was pretty trivial =). Basically
there is a command-line overflow in Sudo. Long parameters will cause sudo
to crash after writing a log message.
E.g.:
bash-2.04$ sudo /bin/true `perl -e 'print "A"x10000'`
Password:
Sorry, try again.
Password:
sudo: 1 incorrect password attempt
Segmentation fault
bash-2.04$ sudo /bin/true `perl -e 'print "A"x10000'`
chris is not in the sudoers file. This incident will be reported.
Segmentation fault
bash-2.04$ sudo -V
Sudo version 1.6.3
bash-2.04$ cat /etc/issue
Red Hat Linux release 7.0 (Guinness)
Kernel 2.2.16-22 on an i686
bash-2.04$ rpm -q sudo
sudo-1.6.3-4
I don't think this is easily exploitable, because the EIP register isn't
overwritten, but at least the stack is damaged.
For more details, please see my bug report:
http://www.courtesan.com/bugzilla/show_bug.cgi?id=27
The solution is, of course, to upgrade to version 1.6.3p6.
Ciao, Chris.
___ __ _
/ __// / ,__(_)_ | Chris Wilson <chris@ritc.co.uk> | Phone: 01223 503 190 |
/ (_ / ,\/ _/ /_ \ | Tech Director - Caliday Project | RITC (Cambridge) Ltd |
\ _//_/_/_//_/___/ | Unix Systems & Network Engineer | Cambridge CB5 8LA UK |
On Fri, 23 Feb 2001, Gossi The Dog wrote:
> FYI...
>
> ---------- Forwarded message ----------
> Date: Thu, 22 Feb 2001 08:52:56 -0700
> From: Todd C. Miller <Todd.Miller@courtesan.com>
> To: sudo-announce@courtesan.com
> Subject: Sudo version 1.6.3p6 now available
>
> Sudo version 1.6.3p6 is now available (ftp sites listed at the end).
> This fixes a *buffer overflow* in sudo which is a potential security
> problem. I don't know of any exploits that currently exist but I
> suggest that you upgrade none the less.
>
> Sudo has a good track record wrt secure coding, but this one slipped
> by me.
>
> - todd
<snip>
