首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
sudo 1.8.0 - 1.8.3p1 Format String Vulnerability
来源:http://www.phenoelit.de 作者:joernchen 发布时间:2012-02-01  
Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 +--++>
[ Authors ]
        joernchen       <joernchen () phenoelit de>
        Phenoelit Group (http://www.phenoelit.de)
[ Affected Products ]
        sudo 1.8.0 - 1.8.3p1 (http://sudo.ws)
[ Vendor communication ]
        2012-01-24 Send vulnerability details to sudo maintainer
        2012-01-24 Maintainer is embarrased
        2012-01-27 Asking maintainer how the fixing goes
        2012-01-27 Maintainer responds with a patch and a release date
                   of 2012-01-30 for the patched sudo and advisory
        2012-01-30 Release of this advisory
[ Description ]
        Observe src/sudo.c:
void
sudo_debug(int level, const char *fmt, ...)
{
    va_list ap;
    char *fmt2;
    if (level > debug_level)
        return;
    /* Backet fmt with program name and a newline to make it a single
    write */
    easprintf(&fmt2, "%s: %s\n", getprogname(), fmt);
    va_start(ap, fmt);
    vfprintf(stderr, fmt2, ap);
    va_end(ap);
    efree(fmt2);
}
        Here getprogname() is argv[0] and by this user controlled. So
        argv[0] goes to fmt2 which then gets vfprintf()ed to stderr. The
        result is a Format String vulnerability.
[ Example ]
        /tmp $ ln -s /usr/bin/sudo %n
        /tmp $ ./%n -D9
        *** %n in writable segment detected ***
        Aborted
        /tmp $
       A note regarding exploitability: The above example shows the result
       of FORTIFY_SOURCE which makes explotitation painful but not
       impossible (see [0]). Without FORTIFY_SOURCE the exploit is straight
       forward:
         1. Use formatstring to overwrite the setuid() call with setgid()
         2. Trigger with formatstring -D9
         3. Make use of SUDO_ASKPASS and have shellcode in askpass script
         4. As askpass will be called after the formatstring has
            overwritten setuid() the askepass script will run with uid 0
         5. Enjoy the rootshell
[ Solution ]
        Update to version 1.8.3.p2
[ References ]
        [0] http://www.phrack.org/issues.html?issue=67&id=9
[ end of file ]
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Tracker Software pdfSaver Acti
·Adobe Flash Player MP4 Sequenc
·MS12-004 midiOutPlayNextPolyEv
·EdrawSoft Office Viewer Compon
·HP Diagnostics Server magentse
·Apache httpOnly Cookie Disclos
·Sysax Multi Server 5.50 Create
·Mindjet MindManager 2012 10.0.
·HP Easy Printer Care XMLCacheM
·frontpage_express2.02 Denial o
·zFTPServer Suite 6.0.0.52 'rmd
·Acpid 1:2.0.10-1ubuntu2 Privil
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved