Bugtraq mailing list archives
Re: hole in sudo for MP-RAS.
From: cschuber () uumail gov bc ca (Cy Schubert - ITSD Open Systems Group)
Date: Mon, 12 Jan 1998 18:54:13 -0800
As this seems to only affect that one OS, I'm not sure I would call it a bug in sudo. When this was reported for 1.5.2 I took a look but couldn't find any way to reproduce it (and I don't have access to the OS in question).
I've been able to reproduce the exploit using cu-sudo 1.5.3 under DEC UNIX 4.0B and FreeBSD 2.2.5. After looking at the code the bug can be exploited on any platform. Here is a patch to fix the problem, assuming your operating system of choice supports realpath(3). *BSD, Linux, Solaris, SunOS, DEC UNIX, AIX, and DG/UX should have no problem with this patch. diff -ur sudo.v1.5.3.orig/find_path.c sudo.v1.5.3/find_path.c --- sudo.v1.5.3.orig/find_path.c Wed Nov 13 18:37:22 1996 +++ sudo.v1.5.3/find_path.c Mon Jan 12 17:55:43 1998 @@ -118,7 +118,11 @@ * the error is "not found" -- this way we get the correct error. */ if (strchr(file, '/')) { - (void) strcpy(command, file); + if (realpath(file, command) == NULL) { + (void) fprintf(stderr, "%s: %s", Argv[0], file); + perror(""); + exit(1); + } if (sudo_goodpath(command)) { return(command); } else {
- todd
Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 UNIX Support OV/VM: BCSC02(CSCHUBER) ITSD BITNET: CSCHUBER@BCSC02.BITNET Government of BC Internet: cschuber () uumail gov bc ca Cy.Schubert () gems8 gov bc ca "Quit spooling around, JES do it."
Current thread:
- perl version of that tin opener (IOS decrypt.c), (continued)
- perl version of that tin opener (IOS decrypt.c) Riku Meskanen (Jan 11)
- Again: perl version of that tin opener (IOS decrypt.c) Riku Meskanen (Jan 11)
- bug in Solaris 2.6 security logging Ruth Milner [VLA] (Jan 12)
- Buffer overflows in Deliver: get 2.1.13 Chip Salzenberg (Jan 12)
- [SIGNED] Buffer overflows in Deliver: get 2.1.13 Chip Salzenberg (Jan 12)
- KSR[T] Advisory #6: deliver KSR[T] (Jan 12)
- Re: KSR[T] Advisory #6: deliver Chip Salzenberg (Jan 12)
- hole in sudo for MP-RAS. osiris () COURIER CB LUCENT COM (Jan 12)
- Re: hole in sudo for MP-RAS. Cy Schubert - ITSD Open Systems Group (Jan 12)
- Re: hole in sudo for MP-RAS. Todd C. Miller (Jan 12)
- Re: hole in sudo for MP-RAS. Cy Schubert - ITSD Open Systems Group (Jan 12)
- Re: hole in sudo for MP-RAS. Todd C. Miller (Jan 12)
- Re: hole in sudo for MP-RAS. Todd C. Miller (Jan 13)
- Re: hole in sudo for MP-RAS. dsiebert () ICAEN UIOWA EDU (Jan 12)
- Re: hole in sudo for MP-RAS. Todd C. Miller (Jan 12)
- perl version of that tin opener (IOS decrypt.c) Riku Meskanen (Jan 11)
- CPSN 9:971208: Solaris /var Permission Problems CPIO Advisory Role Account (Jan 12)