A buffer overflow exists in sudo versions 1.5.7 to 1.6.5p2 (inclusive). The problem affects expansion of the “%h” and “%u” escape sequences in the prompt. Due to a bug it is possible to craft a prompt such that more bytes are written than have been allocated. Exploiting heap corruption bugs like this requires fairly in-depth knowledge of a system’s malloc internals. The bug has been exploited on Linux and can allow an attacker to gain root privileges. No known exploits exist for other operating systems but this should not be considered a Linux-only problem.
1.5.7 - 1.6.5p2 (inclusive)
Sudo expands “%h” and “%u” to the hostname and username respectively. This is done in two steps. In the first step sudo calculates the amount of memory required to hold the expanded string. In the second step it does the actual string copying and escape sequence expansion. The bug occurs because a variable used to store the last character seen was not re-initialized before the second loop. Consequently, if the last character in the prompt is a ‘%’ and the first character is a ‘h’ or ‘u’, sudo will mistakenly expand the ‘h’ or ‘u’, thinking the last character processed was a ‘%’. This causes the computed length to be too small and the malloced buffer will overflow.
This problem was brought to my attention by Global InterSec LLC.
For more information, see their advisory: http://www.globalintersec.com/adv/sudo-2002041701.txt