security hole in sudo 1.5.7 - 1.6.5p2
Todd C. Miller
Todd.Miller at courtesan.com
Thu Apr 25 12:21:54 EDT 2002
A potential security vulnerability has been found in sudo versions
1.5.7 - 1.6.5p2. The problem affects expansion of the "%h" and
"%u" escape sequences in the prompt. Due to a bug it is possible
to craft a prompt such that more bytes are written than have been
allocated.
Exploiting heap corruption bugs like this requires fairly in-depth
knowledge of a system's malloc internals. This class of bug has
been exploited on Linux so it is very likely that the bug is a
localhost root hole on Linux (and probably other operating systems
as well).
This bug is fixed in sudo 1.6.6 (released today). The "official" patch
is appended below for people who prefer to patch things themselves.
Credit for finding the bug goes to Global InterSec.
Sudo 1.6.6:
ftp://ftp.courtesan.com/pub/sudo/sudo-1.6.6.tar.gz
Patch to fix the bug:
Index: check.c
===================================================================
RCS file: /home/cvs-sudo/sudo/check.c,v
retrieving revision 1.202
diff -u -r1.202 check.c
--- check.c 14 Dec 2001 19:52:47 -0000 1.202
+++ check.c 18 Apr 2002 15:34:14 -0000
@@ -196,9 +196,9 @@
if (subst) {
new_prompt = (char *) emalloc(len + 1);
- for (p = old_prompt, np = new_prompt; *p; p++) {
+ for (p = old_prompt, np = new_prompt, lastchar = '\0'; *p; p++) {
if (lastchar == '%' && (*p == 'h' || *p == 'u' || *p == '%')) {
- /* substiture user/host name */
+ /* substitute user/host name */
if (*p == 'h') {
np--;
strcpy(np, user_shost);
More information about the sudo-announce
mailing list