linux, säkerhet

6143266 2001-02-23 19:22 +0000  /73 rader/  <chris@RITC.CO.UK>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-26  21:00  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: chris@RITC.CO.UK
Mottagare: Bugtraq (import) <15608>
Kommentar till text 6133149 av Gossi The Dog <gossi@OWNED.LAB6.COM>
Ärende: Re: Sudo version 1.6.3p6 now available (fwd)
------------------------------------------------------------
From: chris@RITC.CO.UK
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.4.21.0102231915120.15513-100000@cartman.ritc.co.uk>

Hi,

I was rather surprised that Mr. Miller released this without
crediting me for discovering the bug (even though it was pretty
trivial =). Basically there is a command-line overflow in Sudo. Long
parameters will cause sudo to crash after writing a log message.

E.g.:

bash-2.04$ sudo /bin/true `perl -e 'print "A"x10000'`
Password:
Sorry, try again.
Password:
sudo: 1 incorrect password attempt
Segmentation fault

bash-2.04$ sudo /bin/true `perl -e 'print "A"x10000'`
chris is not in the sudoers file.  This incident will be reported.
Segmentation fault

bash-2.04$ sudo -V
Sudo version 1.6.3

bash-2.04$ cat /etc/issue

Red Hat Linux release 7.0 (Guinness)
Kernel 2.2.16-22 on an i686

bash-2.04$ rpm -q sudo
sudo-1.6.3-4

I don't think this is easily exploitable, because the EIP register
isn't overwritten, but at least the stack is damaged.

For more details, please see my bug report:

http://www.courtesan.com/bugzilla/show_bug.cgi?id=27

The solution is, of course, to upgrade to version 1.6.3p6.

Ciao, Chris.
   ___ __     _
 / __// / ,__(_)_  | Chris Wilson <chris@ritc.co.uk> | Phone: 01223 503 190 |
/ (_ / ,\/ _/ /_ \ | Tech Director - Caliday Project | RITC (Cambridge) Ltd |
\ _//_/_/_//_/___/ | Unix Systems & Network Engineer | Cambridge CB5 8LA UK |

On Fri, 23 Feb 2001, Gossi The Dog wrote:

> FYI...
>
> ---------- Forwarded message ----------
> Date: Thu, 22 Feb 2001 08:52:56 -0700
> From: Todd C. Miller <Todd.Miller@courtesan.com>
> To: sudo-announce@courtesan.com
> Subject: Sudo version 1.6.3p6 now available
>
> Sudo version 1.6.3p6 is now available (ftp sites listed at the end).
> This fixes a *buffer overflow* in sudo which is a potential security
> problem.  I don't know of any exploits that currently exist but I
> suggest that you upgrade none the less.
>
> Sudo has a good track record wrt secure coding, but this one slipped
> by me.
>
>  - todd

<snip>
(6143266) --------------------------------(Ombruten)