COMMAND

	sudo local heap overflow

SYSTEMS AFFECTED

	Sudo 1.6.5p2, 1.6.4, 1.6.3p7, 1.6.3, 1.6.2
	

	

PROBLEM

	In Global InterSec  LLC  [http://www.globalintersec.com]  advisory  [ID:
	2002041701] :
	

	--snipp--
	

	When sudo is called with the -p parameter, expand_prompt() is called  to
	check for and expand any special characters parsed as  arguments  to  -p
	(%h or %u).
	

	expand_prompt will then calculate space  for  the  expanded  prompt  and
	malloc() the  calculated  amount.  On  miscalculation  of  the  required
	space, the place in which sudo break will depend on:
	

	 - The string used to cause sudo to miscalculate

	   the required space and the length which any

	   expansion character(s) expand to.

	

	 - The compilation options sudo was built with.

	

	These factors therefore have a direct influence on how the bug is to  be
	exploited, if at all.
	

	In the case of  a  string  \'h%h%\'  being  parsed  to  the  -p  option,
	miscalculation of the prompt length occurs due to the  first  h  in  our
	string being treated as an %h and the last character  still  having  the
	value of % where it should of been given the value \'\\0\' if  *lastchar
	had been re-initialised correctly.
	

	In the example below we used a system who\'s hostname was 7 bytes  long.
	Because of the length of the hostname,  we  were  able  to  trigger  the
	vulnerability, but without causing a SEGV, before we were able to  write
	additional data into memory for sudo to read into.
	

	In the case of a system with a hostname over 8 bytes, you may find  that
	the expansion of the hostname has written so far into memory  that  sudo
	segfaults before additional memory  can  be  written  via  the  password
	prompt.
	

	In this case an alternative method would be needed to write into  memory
	so that relevant registers are corrupted.  This  could  possibly  be  in
	parameters to -p or in the environment variable  \'SUDO_PROMPT\'  (which
	-p overrides).
	

	user@defiant:~/research/sudo/dist/sudo-1.6.5p2 > gdb sudo

	

	GNU gdb 5.0

	Copyright 2000 Free Software Foundation, Inc.

	

	(gdb) r -p h%h% -s

	Starting program: /research/sudo/dist/sudo-1.6.5p2/sudo -p h%h% -s

	

	efiantdefian=A1 <4 Bytes>\\xef\\xbe\\xad\\xde\\<84 Bytes> # Password Challenge

	Sorry, try again.

	

	Program received signal SIGSEGV, Segmentation fault.

	0x400d49c1 in chunk_alloc () from /lib/libc.so.6

	(gdb) i r $edi

	edi            0xdeadbeef       -559038737

	(gdb)

	

	Note that %ecx and %edx were also within our reach.
	

	Our example used a sudo 1.6.5p2 binary with --with-pam enabled at  build
	time.
	

	The off-by-five condition still occurs when  sudo  is  compiled  without
	PAM as we can see from the following example, using a slightly  modified
	version of sudo.
	

	user@defiant:~/research/sudo/dist/sudo-1.6.5p2 > ./sudo -p h%h% -s

	Allocating 9 bytes for prompt: efiantdefiant% (14 bytes long)

	efiantdefiant%

	Sorry, try again.

	efiantdefiant%

	^C

	./sudo: 1 incorrect password attempt

	user@defiant:~/research/sudo/dist/sudo-1.6.5p2 >

	

	To this end - sudo without pam  support  (or  any  other  configuration)
	must be considered vulnerable as alternative ways to cause functions  in
	sudo to read into corrupted areas of memory and  gain  flow  control  of
	sudo (other than the pam functions) may exist.
	

	--snapp--

SOLUTION

	Get sudo 1.6.6
	

	ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz

	http://www.sudo.ws/sudo/dist/