Hi,
I was rather surprised that Mr. Miller released this without crediting me
for discovering the bug (even though it was pretty trivial =). Basically
there is a command-line overflow in Sudo. Long parameters will cause sudo
to crash after writing a log message.
E.g.:
bash-2.04$ sudo /bin/true `perl -e 'print "A"x10000'`
Password:
Sorry, try again.
Password:
sudo: 1 incorrect password attempt
Segmentation fault
bash-2.04$ sudo /bin/true `perl -e 'print "A"x10000'`
chris is not in the sudoers file. This incident will be reported.
Segmentation fault
bash-2.04$ sudo -V
Sudo version 1.6.3
bash-2.04$ cat /etc/issue
Red Hat Linux release 7.0 (Guinness)
Kernel 2.2.16-22 on an i686
bash-2.04$ rpm -q sudo
sudo-1.6.3-4
I don't think this is easily exploitable, because the EIP register isn't
overwritten, but at least the stack is damaged.
For more details, please see my bug report:
http://www.courtesan.com/bugzilla/show_bug.cgi?id=27
The solution is, of course, to upgrade to version 1.6.3p6.
Ciao, Chris.
___ __ _
/ __// / ,__(_)_ | Chris Wilson <[EMAIL PROTECTED]> | Phone: 01223 503 190 |
/ (_ / ,\/ _/ /_ \ | Tech Director - Caliday Project | RITC (Cambridge) Ltd |
\ _//_/_/_//_/___/ | Unix Systems & Network Engineer | Cambridge CB5 8LA UK |
On Fri, 23 Feb 2001, Gossi The Dog wrote:
> FYI...
>
> ---------- Forwarded message ----------
> Date: Thu, 22 Feb 2001 08:52:56 -0700
> From: Todd C. Miller <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Sudo version 1.6.3p6 now available
>
> Sudo version 1.6.3p6 is now available (ftp sites listed at the end).
> This fixes a *buffer overflow* in sudo which is a potential security
> problem. I don't know of any exploits that currently exist but I
> suggest that you upgrade none the less.
>
> Sudo has a good track record wrt secure coding, but this one slipped
> by me.
>
> - todd
<snip>
