[UNIX] Sudo Password Prompt Vulnerability
From: support@securiteam.comDate: 04/26/02
- Previous message: support@securiteam.com: "[NEWS] Intel D845HV/WN/PT Series Motherboard Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Fri, 26 Apr 2002 08:38:15 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Sudo Password Prompt Vulnerability
------------------------------------------------------------------------
SUMMARY
Sudo - A popular utility for allowing users to execute commands as other
users contains a vulnerability that may be exploited to execute arbitrary
commands.
DETAILS
Vulnerable systems:
Sudo version 1.6.5p2
Sudo version 1.6.4
Sudo version 1.6.3p7 (SuSE 7.1 Update, RedHat 7.2)
Sudo version 1.6.3 (SuSE 7.1)
Sudo version 1.6.2
Impact:
A local user may gain root access through corruption of the heap
(Off-By-Five).
Details:
Sudo, an open source utility shipped with many Linux distributions enables
the super user to grant non-root users permission to execute commands as
other users (including root). Access to Sudo is normally regulated via
/etc/sudoers.
One of the functions of Sudo enables users to specify the password prompt
given when challenged for their password to 'sudo'. On parsing this
parameter (-p) to Sudo, a user may also specify characters which expand to
either the hostname (%h) or the username (%u). On the reception of these
expansion characters, Sudo will malloc() memory for the string the
argument to -p will form.
Unfortunately, it is possible to trick Sudo into allocating less memory
than it should for the prompt. Under certain conditions it is possible to
exploit this bug to corrupt the heap in a way in which could be used to
execute arbitrary commands.
Because of the nature of Sudo, it is installed by default as suid() root
and therefore could be used to escalate normal user privileges to that of
the root user, taking into account the restrictions noted below.
Scope for attack:
As noted above, this vulnerability could be used to escalate user
privileges to that of the super user. However, for this to happen several
factors must be considered.
- The options which Sudo were compiled with may determine if it is
exploitable or not. In our tests, we used binaries compiled with PAM
support, which we found to be exploitable. Many distributions of Linux
ship with PAM enabled builds of Sudo.
Distributions shipping PAM enabled Sudo binaries include those of SuSE and
RedHat.
- The length of the hostname on the system a vulnerable binary is on is a
critical factor in the way in which the bug is exploited.
Workaround:
Remove the suid bit from the Sudo binary and remove any entries in
/etc/sudoers.
Vendor Solutions:
A patch for version 1.6.5p2 is available at:
<http://www.globalintersec.com/adv/files/sudo-1.6.5p3.patch>
http://www.globalintersec.com/adv/files/sudo-1.6.5p3.patch
Both the Sudo maintainer and Vendors shipping vulnerable versions of sudo
have been notified well in advance of the release date. A list of
advisories by individual vendors will be appended to this advisory as they
become available.
The most recent copy of this advisory is available at the "Reference" URL
noted in the header of this advisory.
Proof of Concept, Semi-Technical Details:
When Sudo is called with the -p parameter, expand_prompt() is called to
check for and expand any special characters parsed as arguments to -p (%h
or %u).
expand_prompt will then calculate space for the expanded prompt and
malloc() the calculated amount. On miscalculation of the required space,
the place in which Sudo break will depend on:
- The string used to cause Sudo to miscalculate the required space and
the length which any expansion character(s) expand to.
- The compilation options Sudo was built with.
These factors therefore have a direct influence on how the bug is to be
exploited, if at all.
In the case of a string 'h%h%' being parsed to the -p option,
miscalculation of the prompt length occurs due to the first h in our
string being treated as an %h and the last character still having the
value of % where it should of been given the value '\0' if *lastchar had
been re-initialized correctly.
In the example below, we used a system whose hostname was 7 bytes long.
Because of the length of the hostname, we were able to trigger the
vulnerability, but without causing a SEGV, before we were able to write
additional data into memory for Sudo to read into.
In the case of a system with a hostname over 8 bytes, you may find that
the expansion of the hostname has written so far into memory that Sudo
segfaults before additional memory can be written via the password prompt.
In this case, an alternative method would be needed to write into memory
so that relevant registers are corrupted. This could possibly be in
parameters to -p or in the environment variable 'SUDO_PROMPT' (which -p
overrides).
user@defiant:~/research/sudo/dist/sudo-1.6.5p2 > gdb sudo
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
(gdb) r -p h%h% -s
Starting program: /research/sudo/dist/sudo-1.6.5p2/sudo -p h%h% -s
efiantdefian” <4 Bytes>\xef\xbe\xad\xde\<84 Bytes> # Password Challenge
Sorry, try again.
Program received signal SIGSEGV, Segmentation fault.
0x400d49c1 in chunk_alloc () from /lib/libc.so.6
(gdb) i r $edi
edi 0xdeadbeef -559038737
(gdb)
Note that %ecx and %edx were also within our reach.
Our example used a Sudo 1.6.5p2 binary with --with-pam enabled at build
time.
The off-by-five condition still occurs when Sudo is compiled without PAM
as we can see from the following example, using a slightly modified
version of Sudo.
user@defiant:~/research/sudo/dist/sudo-1.6.5p2 > ./sudo -p h%h% -s
Allocating 9 bytes for prompt: efiantdefiant% (14 bytes long)
efiantdefiant%
Sorry, try again.
efiantdefiant%
^C
./sudo: 1 incorrect password attempt
user@defiant:~/research/sudo/dist/sudo-1.6.5p2 >
To this end - Sudo without pam support (or any other configuration) must
be considered vulnerable as alternative ways to cause functions in Sudo to
read into corrupted areas of memory and gain flow control of Sudo (other
than the PAM functions) may exist.
Please see: <http://www.phrack.org/show.php?p=57&a=8>
http://www.phrack.org/show.php?p=57&a=8 for more information on exploiting
this type of vulnerability.
ADDITIONAL INFORMATION
The information has been provided by <mailto:lists@globalintersec.com>
Global InterSec Research.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Intel D845HV/WN/PT Series Motherboard Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
