[20899] in bugtraq
Re: [synnergy] - Sudo Vudo
daemon@ATHENA.MIT.EDU (Trond Eivind =?iso-8859-1?q?Glomsr)
Thu Jun 7 13:30:24 2001
To: bugtraq@securityfocus.com
Cc: Michel Kaempf <maxx@synnergy.net>
From: teg@redhat.com (Trond Eivind =?iso-8859-1?q?Glomsr=F8d?=)
Date: 06 Jun 2001 18:03:44 -0400
In-Reply-To: <20010606170343.A14671@via.ecp.fr>
Message-ID: <xuy7kyps1tr.fsf@halden.devel.redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Michel Kaempf <maxx@synnergy.net> writes:
> -[ Vudo - An object superstitiously believed to embody magical powers ]-
>
> --------------[ Michel "MaXX" Kaempf <maxx@synnergy.net> ]--------------
> ----------------[ Copyright (C) 2001 Synnergy Networks ]----------------
>
>
> --[ 0x00 - Introduction ]-----------------------------------------------
>
> Sudo (superuser do) allows a system administrator to give certain users
> (or groups of users) the ability to run some (or all) commands as root
> or another user while logging the commands and arguments.
> -- http://www.courtesan.com/sudo/index.html
>
> On February 19, 2001, Sudo version 1.6.3p6 was released: "This fixes
> a potential security problem. So far, the bug does not appear to be
> exploitable." Despite the comments sent to various security mailing
> lists after the announce of the new Sudo version, the bug is not a
> buffer overflow and the bug does not damage the stack.
>
> But the bug is exploitable: even a single byte located somewhere in the
> heap, erroneously overwritten by a NUL byte before a call to syslog(3)
> and immediately restored after the syslog(3) call, may actually lead to
> execution of code as root. A working exploit for Red Hat Linux/Intel 6.2
> (Zoot) sudo-1.6.1-1 is attached at the end of this email and a complete
> research paper on this issue and on general heap corruption techniques
> will be released soon.
Sudo was not part of the main Red Hat Linux 6.2 distribution, but was
part of powertools. 1.6.3p6 was released as as a security errata
earlier this year:
http://www.redhat.com/support/errata/RHSA-2001-019.html
--
Trond Eivind Glomsrød
Red Hat, Inc.
