• Sudo format string vulnerability

Sudo 1.8.0 introduced simple debugging support that was primarily intended for use when developing policy or I/O logging plugins. The sudo_debug() function contains a flaw where the program name is used as part of the format string passed to the fprintf() function. The program name can be controlled by the caller, either via a symbolic link or, on some systems, by setting argv[0] when executing sudo. For example:

$ ln -s /usr/bin/sudo ./%s
$ ./%s -D9
Segmentation fault

Using standard format string vulnerability exploitation techniques it is possible to leverage this bug to achieve root privileges.

sudo-1.8.0〜1.8.2におけるバグ。ルート権限とられてしまう。

sudo-1.8.2のコードを読むとeasprintf(独自のsprintf関数)した後にvfprintfしていて、getprogname()が'%s'を返すとvfprintfで%sの数が引数の数に対して多くなるのでセグメンテーションフォルトになるっぽい。

/*
 * Simple debugging/logging.
 */
void
sudo_debug(int level, const char *fmt, ...) 
{
    va_list ap;
    char *fmt2;

    if (level > debug_level)
        return;

    /* Backet fmt with program name and a newline to make it a single write */
    easprintf(&fmt2, "%s: %s\n", getprogname(), fmt);
    va_start(ap, fmt);
    vfprintf(stderr, fmt2, ap); 
    va_end(ap);
    efree(fmt2);
}