[Global InterSec 2002041701] Sudo Password Prompt Vulnerability.

[Global InterSec Research <lists () globalintersec com>]

Global InterSec LLC
http://www.globalintersec.com

GIS Advisory ID: 2002041701
Changed: 25/04/2002
Author: research () globalintersec com
Reference: http://www.globalintersec.com/adv/sudo-2002041701.txt

Summary:

   Sudo - A popular utility for allowing users to execute
   commands as other users contains a vulnerability which
   may be exploited to execute arbitrary commands.

Impact:

   A local user may gain root access through corruption of
   the heap (Off-By-Five).

Versions Tested To Be Vulnerable:

        1.6.5p2
        1.6.4
        1.6.3p7 (SuSE 7.1 Update, RedHat 7.2)
        1.6.3   (SuSE 7.1)
        1.6.2

Description:

  Sudo, an open source utility shipped with many linux
  distributions enables the super user to grant non
  root users permission to execute commands as other
  users (including root). Access to sudo is normally
  regulated via /etc/sudoers.

  One of the functions of sudo enables users to specify
  the password prompt given when challenged for their
  password to 'sudo'. On parsing this parameter (-p) to
  sudo, a user may also specify characters which expand
  to either the hostname (%h) or the username (%u).
  On the reception of these expansion characters, sudo
  will malloc() memory for the string the argument to -p
  will form.

  Unfortunately it is possible to trick sudo into allocating
  less memory than it should for the prompt.
  Under certain conditions it is possible to exploit this
  bug to corrupt the heap in a way in which could be used
  to execute arbitrary commands.

  Because of the nature of sudo, it is installed by default
  as suid() root and therefore could be used to escalate
  normal user privileges to that of the root user, taking
  into account the restrictions noted below.

Scope for attack:

  As noted above, this vulnerability could be used to escalate
  user privileges to that of the super user.
  However, for this to happen several factors must be considered.

  -  The options which sudo were compiled with may determine
     if it is exploitable or not. In our tests we used binaries
     compiled with PAM support, which we found to be exploitable.
     Many distributions of linux ship with PAM enabled builds of
     sudo.

     Distributions shipping PAM enabled sudo binaries include
     those of SuSE and RedHat.

  -  The length of the hostname on the system a vulnerable
     binary is on is a critical factor in the way in which
     the bug is exploited.

Work around:

  Remove the suid bit from the sudo binary and remove any
  entries in /etc/sudoers.

Credit:

  This vulnerability was originally discovered by fc,
  a GIS affiliate. Research and vendor coordination
  were carried out by the Global InterSec research
  division, under Tom Parker.

  Please email research () globalintersec com for more
  information.

  Thanks also to Todd Miller, the sudo maintainer for
  responding so quickly to our email.


Vendor Solutions:

        A patch for version 1.6.5p2 is available at:
        http://www.globalintersec.com/adv/files/sudo-1.6.5p3.patch
        
        Both the Sudo maintainer and Vendors shipping vulnerable
        versions of sudo have been notified well in advance of the
        release date. A list of advisories by individual vendors will
        be appended to this advisory as they become available.
        
        The most recent copy of this advisory is available at the
        "Reference" URL noted in the header of this advisory.

Proof of Concept, Semi-Technical Details:

  When sudo is called with the -p parameter, expand_prompt()
  is called to check for and  expand any special characters
  parsed as arguments to -p (%h or %u).

  expand_prompt will then calculate space for the expanded
  prompt and malloc() the calculated amount.
  On miscalculation of the required space, the place in
  which sudo break will depend on:

  - The string used to cause sudo to miscalculate
    the required space and the length which any
    expansion character(s) expand to.
  - The compilation options sudo was built with.

  These factors therefore have a direct influence on how the
  bug is to be exploited, if at all.

  In the case of a string 'h%h%' being parsed to the -p
  option, miscalculation of the prompt length occurs due
  to the first h in our string being treated as an %h
  and the last character still having the value of % where
  it should of been given the value '\0' if *lastchar had
  been re-initialised correctly.

  In the example below we used a system who's hostname was 7
  bytes long. Because of the length of the hostname, we were
  able to trigger the vulnerability, but without causing a
  SEGV, before we were able to write additional data into
  memory for sudo to read into.

  In the case of a system with a hostname over 8 bytes, you
  may find that the expansion of the hostname has written
  so far into memory that sudo segfaults before additional
  memory can be written via the password prompt.

  In this case an alternative method would be needed to write
  into memory so that relevant registers are corrupted.
  This could possibly be in parameters to -p or in the environment
  variable 'SUDO_PROMPT' (which -p overrides).

  user@defiant:~/research/sudo/dist/sudo-1.6.5p2 > gdb sudo

  GNU gdb 5.0
  Copyright 2000 Free Software Foundation, Inc.

  (gdb) r -p h%h% -s
  Starting program: /research/sudo/dist/sudo-1.6.5p2/sudo -p h%h% -s

  efiantdefian¡ <4 Bytes>\xef\xbe\xad\xde\<84 Bytes> # Password Challenge
  Sorry, try again.

  Program received signal SIGSEGV, Segmentation fault.
  0x400d49c1 in chunk_alloc () from /lib/libc.so.6
  (gdb) i r $edi
   edi            0xdeadbeef       -559038737
  (gdb)

  Note that %ecx and %edx were also within our reach.

  Our example used a sudo 1.6.5p2 binary with --with-pam enabled
  at build time.

  The off-by-five condition still occurs when sudo is compiled
  without PAM as we can see from the following example, using
  a slightly modified version of sudo.

  user@defiant:~/research/sudo/dist/sudo-1.6.5p2 > ./sudo -p h%h% -s
  Allocating 9 bytes for prompt: efiantdefiant% (14 bytes long)
  efiantdefiant%
  Sorry, try again.
  efiantdefiant%
  ^C
  ./sudo: 1 incorrect password attempt
  user@defiant:~/research/sudo/dist/sudo-1.6.5p2 >

  To this end - sudo without pam support (or any other configuration)
  must be considered vulnerable as alternative ways to cause functions
  in sudo to read into corrupted areas of memory and gain flow control
  of sudo (other than the pam functions) may exist.

  Please see: http://www.phrack.org/show.php?p=57&a=8 for more information
  on exploiting this type of vulnerability,.

Legal:

   This advisory is the intellectual property of Global InterSec LLC
   but may be freely distributed with the conditions that:

   a) No fee is charged
   b) Appropriate credit is given.

(c) Global InterSec LLC 2002