Bug 784443 (CVE-2012-0809)

Summary: CVE-2012-0809 sudo: format string flaw in sudo_debug()
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: dkopecek, ncorrare, pmatouse, rcvalle, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-02 13:36:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 785771    
Bug Blocks: 784446    
Attachments:
Description Flags
proposed upstream patch none

Description Vincent Danen 2012-01-24 23:35:32 UTC 
A flaw was reported in the debugging code of sudo versions 1.8.0 through 1.8.3p1 which can be used to crash sudo or, possibly, allow an unauthorized user to elevate their privileges via the debugging support added in sudo 1.8.0.  Due to a flaw in the sudo_debug() function, the program name (which can be controlled by the caller of sudo), is passed to fprintf() and can be exploited using standard format string exploitation techniques, allowing for the possible elevation to root privileges.

The calling user does _not_ need to be listed in the sudoers file in order to exploit this.


Acknowledgements:

Red Hat would like to thank Todd C. Miller for reporting this issue.  Upstream acknowledges joernchen of Phenoelit as the original reporter.


Statement:

Not vulnerable. This issue did not affect the versions of sudo as shipped with Red Hat Enterprise Linux 4, 5, or 6 as they did not include the vulnerable debugging support.
Comment 2 Vincent Danen 2012-01-24 23:37:45 UTC 
Created attachment 557339 [details]
proposed upstream patch
Comment 5 Vincent Danen 2012-01-30 15:26:15 UTC 
External References:

http://www.sudo.ws/sudo/alerts/sudo_debug.html
Comment 6 Vincent Danen 2012-01-30 15:28:11 UTC 
Created sudo tracking bugs for this issue

Affects: fedora-16 [bug 785771]
Comment 7 Tomas Hoger 2012-01-30 15:54:48 UTC 
(In reply to comment #5)
> http://www.sudo.ws/sudo/alerts/sudo_debug.html

Upstream advisory notes:

  Workaround:
  On systems that support FORTIFY_SOURCE (most Linux and NetBSD), adding
  -D_FORTIFY_SOURCE=2 to the OSDEFS line in src/Makfile and rebuilding sudo
  will prevent the bug from being exploited.

which is what is the default on Fedora, making this issue a crash-only.
Comment 8 Fedora Update System 2012-01-31 22:00:08 UTC 
sudo-1.8.3p1-2.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Nicolas Corrarello 2012-02-02 12:42:54 UTC 
Fixed with the update mentioned in #8


[sgtpepper@conan ~]$ ./%s -D9
%s: settings: debug_level=9
%s: settings: progname=%s
%s: settings: implied_shell=true
%s: settings: network_addrs=************/255.255.255.0 192.168.122.1/255.255.255.0 ************/255.255.255.0 fe80::218:deff:fe7b:c1f3/ffff:ffff:ffff:ffff:: fe80::e845:4eff:fe71:58ca/ffff:ffff:ffff:ffff::
%s: sudo_mode 655361
%s: policy plugin returns -2
usage: %s [-D level] -h | -K | -k | -V
usage: %s -v [-AknS] [-D level] [-g groupname|#gid] [-p prompt] [-u user
          name|#uid]
usage: %s -l[l] [-AknS] [-D level] [-g groupname|#gid] [-p prompt] [-U user
          name] [-u user name|#uid] [-g groupname|#gid] [command]
usage: %s [-AbEHknPS] [-r role] [-t type] [-C fd] [-D level] [-g
          groupname|#gid] [-p prompt] [-u user name|#uid] [-g groupname|#gid]
          [VAR=value] [-i|-s] [<command>]
usage: %s -e [-AknS] [-r role] [-t type] [-C fd] [-D level] [-g groupname|#gid]
          [-p prompt] [-u user name|#uid] file ...
[sgtpepper@conan ~]$ rpm -q sudo
sudo-1.8.3p1-2.fc16.x86_64
[sgtpepper@conan ~]$
Comment 10 Petr Matousek 2012-03-20 08:54:54 UTC 
http://www.vnsecurity.net/2012/02/exploiting-sudo-format-string-vunerability/

Presented CVE-2012-0809 exploit uses FORTIFY_SOURCE bypass method that is already fixed in Red Hat Enterprise Linux and Fedora. For further information please see bug 794766 (CVE-2012-0864).