sudo-1.8のバグ
Sudo 1.8.0 introduced simple debugging support that was primarily intended for use when developing policy or I/O logging plugins. The sudo_debug() function contains a flaw where the program name is used as part of the format string passed to the fprintf() function. The program name can be controlled by the caller, either via a symbolic link or, on some systems, by setting argv[0] when executing sudo. For example:
$ ln -s /usr/bin/sudo ./%s
$ ./%s -D9
Segmentation faultUsing standard format string vulnerability exploitation techniques it is possible to leverage this bug to achieve root privileges.
sudo-1.8.0〜1.8.2におけるバグ。ルート権限とられてしまう。
sudo-1.8.2のコードを読むとeasprintf(独自のsprintf関数)した後にvfprintfしていて、getprogname()が'%s'を返すとvfprintfで%sの数が引数の数に対して多くなるのでセグメンテーションフォルトになるっぽい。
/* * Simple debugging/logging. */ void sudo_debug(int level, const char *fmt, ...) { va_list ap; char *fmt2; if (level > debug_level) return; /* Backet fmt with program name and a newline to make it a single write */ easprintf(&fmt2, "%s: %s\n", getprogname(), fmt); va_start(ap, fmt); vfprintf(stderr, fmt2, ap); va_end(ap); efree(fmt2); }