Fwd: [Full-disclosure] Advisory: sudo 1.8 Format String Vulnerability

2012-01-31 Thread Oliver Pinter 
-- Forwarded message --
From: joernchen of Phenoelit 
Date: Mon, 30 Jan 2012 14:56:26 +0100
Subject: [Full-disclosure] Advisory: sudo 1.8 Format String Vulnerability
To: full-disclos...@lists.grok.org.uk, bugt...@securityfocus.com

Hi,

FYI, see attached.

cheers,

joernchen
-- 
joernchen ~ Phenoelit
 ~ C776 3F67 7B95 03BF 5344
http://www.phenoelit.de  ~ A46A 7199 8B7B 756A F5AC
Phenoelit Advisory 

[ Authors ]
joernchen   

Phenoelit Group (http://www.phenoelit.de)

[ Affected Products ]
sudo 1.8.0 - 1.8.3p1 (http://sudo.ws)

[ Vendor communication ]
2012-01-24 Send vulnerability details to sudo maintainer
2012-01-24 Maintainer is embarrased
2012-01-27 Asking maintainer how the fixing goes
2012-01-27 Maintainer responds with a patch and a release date
   of 2012-01-30 for the patched sudo and advisory
2012-01-30 Release of this advisory

[ Description ]

Observe src/sudo.c:

void
sudo_debug(int level, const char *fmt, ...)
{
va_list ap;
char *fmt2;

if (level > debug_level)
return;

/* Backet fmt with program name and a newline to make it a single 
write */
easprintf(&fmt2, "%s: %s\n", getprogname(), fmt);
va_start(ap, fmt);
vfprintf(stderr, fmt2, ap);
va_end(ap);
efree(fmt2);
}

Here getprogname() is argv[0] and by this user controlled. So 
argv[0] goes to fmt2 which then gets vfprintf()ed to stderr. The
result is a Format String vulnerability.   

[ Example ]
/tmp $ ln -s /usr/bin/sudo %n
/tmp $ ./%n -D9
*** %n in writable segment detected ***
Aborted
/tmp $

   A note regarding exploitability: The above example shows the result
   of FORTIFY_SOURCE which makes explotitation painful but not 
   impossible (see [0]). Without FORTIFY_SOURCE the exploit is straight
   forward:
 1. Use formatstring to overwrite the setuid() call with setgid()
 2. Trigger with formatstring -D9 
 3. Make use of SUDO_ASKPASS and have shellcode in askpass script
 4. As askpass will be called after the formatstring has 
overwritten setuid() the askepass script will run with uid 0
 5. Enjoy the rootshell
 
[ Solution ]
Update to version 1.8.3.p2 

[ References ]
[0] http://www.phrack.org/issues.html?issue=67&id=9

[ end of file ]
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: Fwd: [Full-disclosure] Advisory: sudo 1.8 Format String Vulnerability

2012-01-31 Thread Wesley Shields 
On Tue, Jan 31, 2012 at 05:03:22PM +0100, Oliver Pinter wrote:
> -- Forwarded message --
> From: joernchen of Phenoelit 
> Date: Mon, 30 Jan 2012 14:56:26 +0100
> Subject: [Full-disclosure] Advisory: sudo 1.8 Format String Vulnerability
> To: full-disclos...@lists.grok.org.uk, bugt...@securityfocus.com
> 
> Hi,
> 
> FYI, see attached.

I fixed and got a VuXML entry in for this yesterday.

-- WXS
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"