April 25, 2002
A buffer overflow exists in sudo versions 1.5.7 to 1.6.5p2
(inclusive). The problem affects expansion of the "%h" and "%u"
escape sequences in the prompt. Due to a bug it is possible
to craft a prompt such that more bytes are written than have been
Exploiting heap corruption bugs like this requires fairly in-depth
knowledge of a system's malloc internals. The bug has been exploited
on Linux and can allow an attacker to gain root privileges. No
known exploits exist for other operating systems but this should
not be considered a Linux-only problem.
Sudo versions affected:
1.5.7 - 1.6.5p2 (inclusive)
Sudo expands "%h" and "%u" to the hostname and username respectively.
This is done in two steps. In the first step sudo calculates the
amount of memory required to hold the expanded string. In the
second step it does the actual string copying and escape sequence
expansion. The bug occurs because a variable used to store the
last character seen was not re-initialized before the second loop.
Consequently, if the last character in the prompt is a '%' and the
first character is a 'h' or 'u', sudo will mistakenly expand the
'h' or 'u', thinking the last character processed was a '%'. This
causes the computed length to be too small and the malloced buffer
This problem was brought to my attention by Global InterSec LLC
For more information, see their advisory: