![[LWN Logo]](/images/lcorner.png)
![[LWN.net]](/images/Included.png)
|
|
|
|
Date: Fri, 23 Feb 2001 19:22:43 +0000 From: chris@RITC.CO.UK Subject: Re: Sudo version 1.6.3p6 now available (fwd) To: BUGTRAQ@SECURITYFOCUS.COM Hi, I was rather surprised that Mr. Miller released this without crediting me for discovering the bug (even though it was pretty trivial =). Basically there is a command-line overflow in Sudo. Long parameters will cause sudo to crash after writing a log message. E.g.: bash-2.04$ sudo /bin/true `perl -e 'print "A"x10000'` Password: Sorry, try again. Password: sudo: 1 incorrect password attempt Segmentation fault bash-2.04$ sudo /bin/true `perl -e 'print "A"x10000'` chris is not in the sudoers file. This incident will be reported. Segmentation fault bash-2.04$ sudo -V Sudo version 1.6.3 bash-2.04$ cat /etc/issue Red Hat Linux release 7.0 (Guinness) Kernel 2.2.16-22 on an i686 bash-2.04$ rpm -q sudo sudo-1.6.3-4 I don't think this is easily exploitable, because the EIP register isn't overwritten, but at least the stack is damaged. For more details, please see my bug report: http://www.courtesan.com/bugzilla/show_bug.cgi?id=27 The solution is, of course, to upgrade to version 1.6.3p6. Ciao, Chris. ___ __ _ / __// / ,__(_)_ | Chris Wilson <chris@ritc.co.uk> | Phone: 01223 503 190 | / (_ / ,\/ _/ /_ \ | Tech Director - Caliday Project | RITC (Cambridge) Ltd | \ _//_/_/_//_/___/ | Unix Systems & Network Engineer | Cambridge CB5 8LA UK | On Fri, 23 Feb 2001, Gossi The Dog wrote: > FYI... > > ---------- Forwarded message ---------- > Date: Thu, 22 Feb 2001 08:52:56 -0700 > From: Todd C. Miller <Todd.Miller@courtesan.com> > To: sudo-announce@courtesan.com > Subject: Sudo version 1.6.3p6 now available > > Sudo version 1.6.3p6 is now available (ftp sites listed at the end). > This fixes a *buffer overflow* in sudo which is a potential security > problem. I don't know of any exploits that currently exist but I > suggest that you upgrade none the less. > > Sudo has a good track record wrt secure coding, but this one slipped > by me. > > - todd <snip>