February 22, 2001
A single-byte heap corruption bug exists in sudo versions 1.6.3p5
and below. Exploitation of the bug requires in-depth knowledge of
the system malloc internals. The bug has been exploited on Linux
and can allow an attacker to gain root privileges. No known exploits
exist for other operating systems but this should not be considered
a Linux-only problem.
Sudo versions affected:
1.3.0 - 1.6.3p5 (inclusive)
When given a sufficiently long command line argument, sudo will write
a single NUL byte past the end of a buffer allocated via malloc().
Based on the length of the command line argument it is possible to
place the NUL byte at a location of the attacker's choice. This has
been exploited on Linux to grant an attacker root privileges.
For more information, see the