Title: Sudo Heap Corruption Vulnerability
Severity: HIGH
Description:
Sudo (superuser do) is a security utility that allows administrator to give 'restricted' superuser privileges to certain users.
Sudo contains a locally exploitable 'buffer overrun' vulnerability. The 'overrun' condition exists in sudo's logging function (do_syslog()), and occurs when data to be logged is being split into substrings to be passed to syslog().
Syslog is the primary system logging facility on Unix systems. When a process (running as root) wants to log an event, it simply calls the syslog() libcall (a system call wrapper) with the event priority and any text that is to be included in the log entry. Syslog has a string length limit for this text. If the string that sudo wishes to log is longer than this size limit, it is split into substrings that are logged as separate log entries.
It is during this 'splitting' operation that a possibly exploitable 'overrun' condition occurs.
The message to be logged is split into substrings that are approximately as large as the maximum syslog text length. When splitting, sudo attempts to terminate these substrings at whitespace-separated word boundaries. When a substring is to be passed to syslog(), a NULL byte is written to the end of the substring. After the syslog() call, the byte at that location in the string is restored to its original value.
After a substring has been logged, the 'splitting' routine advances the pointer to the beginning of the next whitespace separated word in the string to start the next substring. It does this by simply incrementing the pointer until a 'space' character is found. It does not stop at the end of the string:
for (p = tmp; *p != ' '; p++)
;
If no 'space' character exists in the string, this loop will iterate and the pointer will increase until one is found in neighboring memory or until an attempt to dereference invalid memory (during the compare) causes a segmentation violation.
This overrun condition is dangerous because the pointer in this loop is maintained as the 'start' of the next substring. A NULL byte will be written to a location somewhere beyond this pointer in the next iteration of the main 'splitting' loop when the next substring is being terminated. If the pointer happens to point to a critical value, it will be temporarily corrupted by this NULL byte until restored after the syslog() call returns.
While the NULL byte only exists during the syslog() calls (the original byte value is restored after they return), it has been demonstrated that this vulnerability can still be exploited. If the overrun occurs on the heap, it may be possible to corrupt some of the malloc structures which the syslog() implementation uses. It may be possible for an attacker to construct an argument that will cause a NULL to be written to a pre-calculated, critical position in memory.
This may create a condition where the execution of arbitrary code as root is possible.
Note: When first published, it was widely believed that this condition was not exploitable. It has recently been reported that this is indeed exploitable. Forthcoming updates may provide additional technical details.
Affected Products:
- RedHat Linux 7.0.0 alpha
- RedHat Linux 7.0.0 i386
- S.u.S.E. Linux 6.4.0
- S.u.S.E. Linux 6.4.0 i386
- S.u.S.E. Linux 6.4.0 ppc
- Slackware Linux 7.1.0
- Todd Miller Sudo 1.5.6
- Todd Miller Sudo 1.5.7
- Todd Miller Sudo 1.5.8
- Todd Miller Sudo 1.5.9
- Todd Miller Sudo 1.6.0
- Todd Miller Sudo 1.6.1
- Todd Miller Sudo 1.6.2
- Todd Miller Sudo 1.6.3
- Todd Miller Sudo 1.6.3p1
- Todd Miller Sudo 1.6.3p2
- Todd Miller Sudo 1.6.3p3
- Todd Miller Sudo 1.6.3p4
- Todd Miller Sudo 1.6.3p5
References:
- Todd Miller: Sudo Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
