Bug 784443 - (CVE-2012-0809) CVE-2012-0809 sudo: format string flaw in sudo_debug()
CVE-2012-0809 sudo: format string flaw in sudo_debug()
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20120130,reported=2...
: Security
Depends On: 785771
Blocks: 784446
  Show dependency treegraph
 
Reported: 2012-01-24 18:35 EST by Vincent Danen
Modified: 2012-07-17 12:05 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-02-02 08:36:44 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
proposed upstream patch (745 bytes, patch)
2012-01-24 18:37 EST, Vincent Danen
no flags Details | Diff

  None (edit)
Description Vincent Danen 2012-01-24 18:35:32 EST
A flaw was reported in the debugging code of sudo versions 1.8.0 through 1.8.3p1 which can be used to crash sudo or, possibly, allow an unauthorized user to elevate their privileges via the debugging support added in sudo 1.8.0.  Due to a flaw in the sudo_debug() function, the program name (which can be controlled by the caller of sudo), is passed to fprintf() and can be exploited using standard format string exploitation techniques, allowing for the possible elevation to root privileges.

The calling user does _not_ need to be listed in the sudoers file in order to exploit this.


Acknowledgements:

Red Hat would like to thank Todd C. Miller for reporting this issue.  Upstream acknowledges joernchen of Phenoelit as the original reporter.


Statement:

Not vulnerable. This issue did not affect the versions of sudo as shipped with Red Hat Enterprise Linux 4, 5, or 6 as they did not include the vulnerable debugging support.
Comment 2 Vincent Danen 2012-01-24 18:37:45 EST
Created attachment 557339 [details]
proposed upstream patch
Comment 5 Vincent Danen 2012-01-30 10:26:15 EST
External References:

http://www.sudo.ws/sudo/alerts/sudo_debug.html
Comment 6 Vincent Danen 2012-01-30 10:28:11 EST
Created sudo tracking bugs for this issue

Affects: fedora-16 [bug 785771]
Comment 7 Tomas Hoger 2012-01-30 10:54:48 EST
(In reply to comment #5)
> http://www.sudo.ws/sudo/alerts/sudo_debug.html

Upstream advisory notes:

  Workaround:
  On systems that support FORTIFY_SOURCE (most Linux and NetBSD), adding
  -D_FORTIFY_SOURCE=2 to the OSDEFS line in src/Makfile and rebuilding sudo
  will prevent the bug from being exploited.

which is what is the default on Fedora, making this issue a crash-only.
Comment 8 Fedora Update System 2012-01-31 17:00:08 EST
sudo-1.8.3p1-2.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Nicolas Corrarello 2012-02-02 07:42:54 EST
Fixed with the update mentioned in #8


[sgtpepper@conan ~]$ ./%s -D9
%s: settings: debug_level=9
%s: settings: progname=%s
%s: settings: implied_shell=true
%s: settings: network_addrs=************/255.255.255.0 192.168.122.1/255.255.255.0 ************/255.255.255.0 fe80::218:deff:fe7b:c1f3/ffff:ffff:ffff:ffff:: fe80::e845:4eff:fe71:58ca/ffff:ffff:ffff:ffff::
%s: sudo_mode 655361
%s: policy plugin returns -2
usage: %s [-D level] -h | -K | -k | -V
usage: %s -v [-AknS] [-D level] [-g groupname|#gid] [-p prompt] [-u user
          name|#uid]
usage: %s -l[l] [-AknS] [-D level] [-g groupname|#gid] [-p prompt] [-U user
          name] [-u user name|#uid] [-g groupname|#gid] [command]
usage: %s [-AbEHknPS] [-r role] [-t type] [-C fd] [-D level] [-g
          groupname|#gid] [-p prompt] [-u user name|#uid] [-g groupname|#gid]
          [VAR=value] [-i|-s] [<command>]
usage: %s -e [-AknS] [-r role] [-t type] [-C fd] [-D level] [-g groupname|#gid]
          [-p prompt] [-u user name|#uid] file ...
[sgtpepper@conan ~]$ rpm -q sudo
sudo-1.8.3p1-2.fc16.x86_64
[sgtpepper@conan ~]$
Comment 10 Petr Matousek 2012-03-20 04:54:54 EDT
http://www.vnsecurity.net/2012/02/exploiting-sudo-format-string-vunerability/

Presented CVE-2012-0809 exploit uses FORTIFY_SOURCE bypass method that is already fixed in Red Hat Enterprise Linux and Fedora. For further information please see bug 794766 (CVE-2012-0864).

Note You need to log in before you can comment on or make changes to this bug.