research on recent Sudo overflows wanted

[KF <dotslash () snosoft com>]

alight I have been researching the recent sudo overflow abit and I need
some help... 

                   Red Hat, Inc. Red Hat Security Advisory
 
Synopsis:          Updated sudo packages fixing buffer overrun available
Advisory ID:       RHSA-2001:019-02
Issue date:        2001-02-23
Updated on:        2001-03-21
...

An overrunnable buffer exists in sudo versions prior to 1.6.3p6
 
The code splitting a log entry into smaller chunks contained an
overrunnable buffer. Carefully constructed long commands could lead to
execution of code as root. There is no known exploit at this time.

My research notes are below...does anyone have ideas for the
exploitation of this hole?
* Two main functions, log_error() to log errors and log_auth() to
* log allow/deny messages.

File: logging.h
# define MAXSYSLOGLEN         960

File: logging.c
 
/*
 * Log a message to syslog, pre-pending the username and splitting the
 * message into parts if it is longer than MAXSYSLOGLEN.

   /*
     * Log the full line, breaking into multiple syslog(3) calls if
necessary
     */
    for (p = msg, count = 0; count < strlen(msg) / MAXSYSLOGLEN + 1;
count++) {
        if (strlen(p) > MAXSYSLOGLEN) {
            /*
             * Break up the line into what will fit on one syslog(3)
line
             * Try to break on a word boundary if possible.
             */
            for (tmp = p + MAXSYSLOGLEN; tmp > p && *tmp != ' '; tmp--)
                ;
            if (tmp <= p)
                tmp = p + MAXSYSLOGLEN;
 
            /* NULL terminate line, but save the char to restore later
*/
            save = *tmp;
... more core

blah blah more stuff then this is where it pukes

      easprintf(&logline, "%sTTY=%s ; PWD=%s ; USER=%s ;
COMMAND=%s%s%s",
        message, user_tty, user_cwd, *user_runas, user_cmnd,
        user_args ? " " : "", user_args ? user_args : "");

sooooooo lets get old version of sudo and compile 

 [root@linux sudo-1.6.3p5]# ./configure --with-logging=syslog

as root test it out
[root@linux d0tslash]# sudo su `perl -e 'print "A" x 4948'`
Segmentation fault

as a User in sudoers:
[d0tslash@linux d0tslash]$ /usr/local/bin/sudo su `perl -e 'print "A" x
4948'`
Password:
Segmentation fault


as a user Not in sudoers:
sh-2.04$ id
uid=99(nobody) gid=99(nobody) groups=99(nobody)
sh-2.04$  /usr/local/bin/sudo su `perl -e 'print "A" x 4948'`
 
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these two things:
 
        #1) Respect the privacy of others.
        #2) Think before you type.
 
Password:
Sorry, try again.
Password:
/usr/local/bin/sudo: 1 incorrect password attempt

Segmentation fault
sh-2.04$
 
ok lets break out gdb
[root@linux sudo-1.6.3p5]# gdb sudo
GNU gdb 5.0mdk-11mdk Linux-Mandrake 8.0
(gdb) run  ls `perl -e 'print "A" x 4948'`
Starting program: /home/d0tslash/sudo-1.6.3p5/sudo ls `perl -e 'print
"A"
x 4948'`
 
Program received signal SIGSEGV, Segmentation fault.
0x0804ae71 in do_syslog (pri=5,
    msg=0x806a4a8 "TTY=pts/1 ; PWD=/home/d0tslash/sudo-1.6.3p5 ;
USER=root
; COMMAND=/bin/ls ", 'A' <repeats 126 times>...) at logging.c:138
138                 for (p = tmp; *p != ' '; p++)
 
(gdb) bt
#0  0x0804ae71 in do_syslog (pri=5,
    msg=0x806a4a8 "TTY=pts/1 ; PWD=/home/d0tslash/sudo-1.6.3p5 ;
USER=root
; COMMAND=/bin/ls ", 'A' <repeats 126 times>...) at logging.c:138
#1  0x0804b370 in log_auth (status=2, inform_user=1) at logging.c:302
#2  0x0804c61a in main (argc=3, argv=0xbfffe4dc) at sudo.c:334
#3  0x4006d0de in __libc_start_main () from /lib/libc.so.6

Ideas please... I can't seem to hit the eip or overwrite anything. 
-KF