A flaw was reported in the debugging code of sudo versions 1.8.0 through 1.8.3p1 which can be used to crash sudo or, possibly, allow an unauthorized user to elevate their privileges via the debugging support added in sudo 1.8.0. Due to a flaw in the sudo_debug() function, the program name (which can be controlled by the caller of sudo), is passed to fprintf() and can be exploited using standard format string exploitation techniques, allowing for the possible elevation to root privileges. The calling user does _not_ need to be listed in the sudoers file in order to exploit this. Acknowledgements: Red Hat would like to thank Todd C. Miller for reporting this issue. Upstream acknowledges joernchen of Phenoelit as the original reporter. Statement: Not vulnerable. This issue did not affect the versions of sudo as shipped with Red Hat Enterprise Linux 4, 5, or 6 as they did not include the vulnerable debugging support.
Created attachment 557339 [details] proposed upstream patch
External References: http://www.sudo.ws/sudo/alerts/sudo_debug.html
Created sudo tracking bugs for this issue Affects: fedora-16 [bug 785771]
(In reply to comment #5) > http://www.sudo.ws/sudo/alerts/sudo_debug.html Upstream advisory notes: Workaround: On systems that support FORTIFY_SOURCE (most Linux and NetBSD), adding -D_FORTIFY_SOURCE=2 to the OSDEFS line in src/Makfile and rebuilding sudo will prevent the bug from being exploited. which is what is the default on Fedora, making this issue a crash-only.
sudo-1.8.3p1-2.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
Fixed with the update mentioned in #8 [sgtpepper@conan ~]$ ./%s -D9 %s: settings: debug_level=9 %s: settings: progname=%s %s: settings: implied_shell=true %s: settings: network_addrs=************/255.255.255.0 192.168.122.1/255.255.255.0 ************/255.255.255.0 fe80::218:deff:fe7b:c1f3/ffff:ffff:ffff:ffff:: fe80::e845:4eff:fe71:58ca/ffff:ffff:ffff:ffff:: %s: sudo_mode 655361 %s: policy plugin returns -2 usage: %s [-D level] -h | -K | -k | -V usage: %s -v [-AknS] [-D level] [-g groupname|#gid] [-p prompt] [-u user name|#uid] usage: %s -l[l] [-AknS] [-D level] [-g groupname|#gid] [-p prompt] [-U user name] [-u user name|#uid] [-g groupname|#gid] [command] usage: %s [-AbEHknPS] [-r role] [-t type] [-C fd] [-D level] [-g groupname|#gid] [-p prompt] [-u user name|#uid] [-g groupname|#gid] [VAR=value] [-i|-s] [<command>] usage: %s -e [-AknS] [-r role] [-t type] [-C fd] [-D level] [-g groupname|#gid] [-p prompt] [-u user name|#uid] file ... [sgtpepper@conan ~]$ rpm -q sudo sudo-1.8.3p1-2.fc16.x86_64 [sgtpepper@conan ~]$
http://www.vnsecurity.net/2012/02/exploiting-sudo-format-string-vunerability/ Presented CVE-2012-0809 exploit uses FORTIFY_SOURCE bypass method that is already fixed in Red Hat Enterprise Linux and Fedora. For further information please see bug 794766 (CVE-2012-0864).