sudo segfaults on SIGINT during auth

From: Charles 'core' Stevenson (core@bokeoa.com)
Date: 01/19/02

• Previous message: _kiss_@guay.com: "KSalup 1.0.2 : bad address binding"
• Next in thread: Todd C. Miller: "Re: sudo segfaults on SIGINT during auth"
• Reply: Todd C. Miller: "Re: sudo segfaults on SIGINT during auth"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 18 Jan 2002 21:40:51 -0700
From: Charles 'core' Stevenson <core@bokeoa.com>
To: "vuln-dev@securityfocus.com" <vuln-dev@securityfocus.com>

Hello,

I'm not sure how to debug this just yet. I attached to the process from
another terminal but when I throw the SIGINT gdb catches it... which is
annoying. How can I turn that off? Is this exploitable?

[20:10:08] core@euclid ~/
[3]% sudo ls
Password:(ctrl-c aka SIGINT)
zsh: segmentation fault sudo ls

euclid:~# gdb -q `which sudo` `pidof sudo`
(no debugging symbols found).../root/948: No such file or directory.
Attaching to program: /usr/bin/sudo, process 948
Reading symbols from /lib/libcrypt.so.1...
(no debugging symbols found)...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /lib/libdl.so.2...(no debugging symbols
found)...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib/libpam.so.0...(no debugging symbols
found)...done.
Loaded symbols for /lib/libpam.so.0
Reading symbols from /lib/libc.so.6...(no debugging symbols
found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/ld.so.1
Reading symbols from /lib/libnss_compat.so.2...(no debugging symbols
found)...
done.
Loaded symbols for /lib/libnss_compat.so.2
Reading symbols from /lib/libnsl.so.1...(no debugging symbols
found)...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /lib/libnss_files.so.2...(no debugging symbols
found)...
done.
Loaded symbols for /lib/libnss_files.so.2
Reading symbols from /lib/security/pam_unix.so...
(no debugging symbols found)...done.
Loaded symbols for /lib/security/pam_unix.so
0x0fee0c20 in read () from /lib/libc.so.6
(gdb) c
Continuing.

Program received signal SIGINT, Interrupt.
0x0fee0c20 in read () from /lib/libc.so.6
(gdb) bt
#0 0x0fee0c20 in read () from /lib/libc.so.6
#1 0x10008088 in _init ()
#2 0x10007d84 in _init ()
#3 0x10008a94 in _init ()
#4 0x0fd46510 in _log_err () from /lib/security/pam_unix.so
#5 0x0fd4786c in _unix_read_password () from /lib/security/pam_unix.so
#6 0x0fd44130 in pam_sm_authenticate () from /lib/security/pam_unix.so
#7 0x0ff6a6e4 in pam_fail_delay () from /lib/libpam.so.0
#8 0x0ff6aa04 in _pam_dispatch () from /lib/libpam.so.0
#9 0x0ff6c4d4 in pam_authenticate () from /lib/libpam.so.0
#10 0x10008778 in _init ()
#11 0x100083d4 in _init ()
#12 0x10001dc8 in _init ()
#13 0x10006460 in _init ()
#14 0x0fe31a30 in __libc_start_main () from /lib/libc.so.6
...
euclid:~# strace -ip`pidof sudo`
[0fee0c20] --- SIGSTOP (Stopped (signal)) ---
[0fee0c20] read(4, 0x7ffff258, 1) = ? ERESTARTSYS (To be
restarted)
[0fee0c20] --- SIGINT (Interrupt) ---
[0fee0c30] write(4, "\n", 1) = 1
[0feee41c] ioctl(4, 0x802c7416, 0x7ffff238) = 0
[0fe472b4] rt_sigaction(SIGINT, {SIG_IGN}, NULL, 8) = 0
[0fe472b4] rt_sigaction(SIGHUP, {SIG_DFL}, NULL, 8) = 0
[0fe472b4] rt_sigaction(SIGQUIT, {SIG_IGN}, NULL, 8) = 0
[0fe472b4] rt_sigaction(SIGTERM, {SIG_DFL}, NULL, 8) = 0
[0fe472b4] rt_sigaction(SIGTSTP, {SIG_DFL}, NULL, 8) = 0
[0fe472b4] rt_sigaction(SIGTTIN, {SIG_DFL}, NULL, 8) = 0
[0fe472b4] rt_sigaction(SIGTTOU, {SIG_DFL}, NULL, 8) = 0
[0fee0c10] close(4) = 0
[0febde00] getpid() = 1028
[0fe45f28] kill(1028, SIGINT) = 0
[0fe45f28] --- SIGINT (Interrupt) ---
[0fee7178] brk(0x10035000) = 0x10035000
[0feb13b4] time([1011410859]) = 1011410859
[0febde00] getpid() = 1028
[0fe472b4] rt_sigaction(SIGPIPE, {0xfeeaabc, [], 0}, {SIG_IGN}, 8) = 0
[0feeed00] socket(PF_UNIX, SOCK_DGRAM, 0) = 4
[0feee47c] fcntl64(0x4, 0x2, 0x1) = 0
[0feeea9c] connect(4, {sin_family=AF_UNIX, path="/dev/log"}, 16) = 0
[0feeec14] send(4, "<37>Jan 18 20:27:39 PAM_unix[102"..., 74, 0) = 74
[0fe472b4] rt_sigaction(SIGPIPE, {SIG_IGN}, NULL, 8) = 0
[0fee0c10] close(4) = 0
[0fee0b28] open("/etc/passwd", O_RDONLY) = 4
[0feee47c] fcntl64(0x4, 0x1, 0) = 0
[0feee47c] fcntl64(0x4, 0x2, 0x1) = 0
[0feee48c] fstat64(0x4, 0x7ffff4c8) = 0
[0feeadec] mmap(NULL, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x30015000
[0feee43c] _llseek(0x4, 0, 0, 0x7ffff538, 0x1) = 0
[0fee0c20] read(4, "root:x:0:0:root:/root:/bin/zsh\nd"..., 4096) = 1015
[0fee0c10] close(4) = 0
[0feeaf8c] munmap(0x30015000, 4096) = 0
[0fee0b28] open("/etc/shadow", O_RDONLY) = 4
[0feee47c] fcntl64(0x4, 0x1, 0) = 0
[0feee47c] fcntl64(0x4, 0x2, 0x1) = 0
[0feee48c] fstat64(0x4, 0x7ffff058) = 0
[0feeadec] mmap(NULL, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x30015000
[0feee43c] _llseek(0x4, 0, 0, 0x7ffff0c8, 0x1) = 0
[0fee0c20] read(4, "root:( censored ;):11514:0:99999"..., 4096) = 690
[0fee0c10] close(4) = 0
[0feeaf8c] munmap(0x30015000, 4096) = 0
[0fe93918] --- SIGSEGV (Segmentation fault) ---

[20:10:11] core@euclid ~/
[4]% dpkg -l sudo
Desired=Unknown/Install/Remove/Purge/Hold
|
Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err:
uppercase=bad)
||/ Name Version Description
+++-==============-==============-============================================
ii sudo 1.6.4p1-1 Provides limited super user privileges
to sp

Seems like maybe this was something that was fixed?

sudo (1.6.4p1-1) unstable; urgency=high
  * new upstream version, with fix for segfaulting problem in 1.6.4
 -- Bdale Garbee <bdale@gag.com> Mon, 14 Jan 2002 20:09:46 -0700

sudo (1.6.4-1) unstable; urgency=high
  * new upstream version, includes an important security fix, closes:
#127576
 -- Bdale Garbee <bdale@gag.com> Mon, 14 Jan 2002 09:35:48 -0700

Best Regards,
Charles 'core' Stevenson

---

• Previous message: _kiss_@guay.com: "KSalup 1.0.2 : bad address binding"
• Next in thread: Todd C. Miller: "Re: sudo segfaults on SIGINT during auth"
• Reply: Todd C. Miller: "Re: sudo segfaults on SIGINT during auth"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages While runsocks telnetŁ¬core dumped ... I checked the log and gdb the core file, ... Reading symbols from /usr/lib/libutil.so.3...(no debugging symbols ... Loaded symbols for /usr/lib/libutil.so.3 ... (comp.unix.bsd.freebsd.misc) [Full-disclosure] HP Tru64 dtmail bug - Really exploitable? ... we got execution flow directed to our RET address ... Reading symbols from /sbin/loader...(no debugging symbols found)...done. ... Reading symbols from /usr/shlib/libXmu.so...(no debugging symbols ... Loaded symbols for /usr/shlib/libXmu.so ... (Full-Disclosure) Fwd: HP Tru64 dtmail bug - Really exploitable? ... Perhaps somebody with more skills at Tru64 exploitation could comment on ... Reading symbols from /sbin/loader...(no debugging symbols found)...done. ... Reading symbols from /usr/shlib/libXmu.so...(no debugging symbols ... Loaded symbols for /usr/shlib/libXmu.so ... (Vuln-Dev) [Fwd: Firefox exited on signal 11.] ... GDB is free software, covered by the GNU General Public License, and you are ... This GDB was configured as "i386-marcel-freebsd"...(no debugging symbols ... Reading symbols from /usr/X11R6/lib/firefox/libmozjs.so...(no debugging ... Loaded symbols for /usr/X11R6/lib/firefox/libmozjs.so ... (freebsd-stable) Re: XMMS or SCHED_ULE issue? ... Right after 'continue' in gdb, ... This GDB was configured as "i386-marcel-freebsd"...(no debugging symbols ... Reading symbols from /usr/X11R6/lib/libXext.so.6...(no debugging symbols ... Loaded symbols for /usr/X11R6/lib/libXext.so.6 ... (freebsd-current)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > vuln-dev  > 2002-01