Sudo 1.8.0 introduced simple debugging support that was primarily intended for use when developing policy or I/O logging plugins. The sudo_debug() function contains a flaw where the program name is used as part of the format string passed to the fprintf() function. The program name can be controlled by the caller, either via a symbolic link or, on some systems, by setting argv[0] when executing sudo. For example:
$ ln -s /usr/bin/sudo ./%s
$ ./%s -D9
Segmentation faultUsing standard format string vulnerability exploitation techniques it is possible to leverage this bug to achieve root privileges.
sudo-1.8.0〜1.8.2ã«ãŠã‘ã‚‹ãƒã‚°ã€‚ルート権é™ã¨ã‚‰ã‚Œã¦ã—ã¾ã†ã€‚
sudo-1.8.2ã®ã‚³ãƒ¼ãƒ‰ã‚’èªã‚€ã¨easprintf(独自ã®sprintf関数)ã—ãŸå¾Œã«vfprintfã—ã¦ã„ã¦ã€getprogname()ãŒ'%s'ã‚’è¿”ã™ã¨vfprintfã§%sã®æ•°ãŒå¼•æ•°ã®æ•°ã«å¯¾ã—ã¦å¤šããªã‚‹ã®ã§ã‚»ã‚°ãƒ¡ãƒ³ãƒ†ãƒ¼ã‚·ãƒ§ãƒ³ãƒ•ã‚©ãƒ«ãƒˆã«ãªã‚‹ã£ã½ã„。
/* * Simple debugging/logging. */ void sudo_debug(int level, const char *fmt, ...) { va_list ap; char *fmt2; if (level > debug_level) return; /* Backet fmt with program name and a newline to make it a single write */ easprintf(&fmt2, "%s: %s\n", getprogname(), fmt); va_start(ap, fmt); vfprintf(stderr, fmt2, ap); va_end(ap); efree(fmt2); }
