Sudo format string vulnerability
A flaw exists in the debugging code in sudo versions 1.8.0 through 1.8.3p1 that can be used to crash sudo or potentially allow an unauthorized user to elevate privileges.
1.8.0 through 1.8.3p1 inclusive. Older versions of sudo are not affected.
This vulnerability has been assigned CVE-2012-0809 in the Common Vulnerabilities and Exposures database.
Sudo 1.8.0 introduced simple debugging support that was primarily intended for use when developing policy or I/O logging plugins. The sudo_debug() function contains a flaw where the program name is used as part of the format string passed to the fprintf() function. The program name can be controlled by the caller, either via a symbolic link or, on some systems, by setting argv[0] when executing sudo. For example:
$ ln -s /usr/bin/sudo ./%s
$ ./%s -D9
Segmentation fault
Using standard format string vulnerability exploitation techniques it is possible to leverage this bug to achieve root privileges.
Successful exploitation of the bug will allow a user to run arbitrary commands as root.
Exploitation of the bug does not require that the attacker be listed in the sudoers file. As such, we strongly suggest that affected sites upgrade from affected sudo versions as soon as possible.
There is no workaround other than removing the setuid bit from the sudo binary (and rendering it unusable).
It was initially believed that building sudo with FORTIFY_SOURCE
in conjunction with ASLR (address space layout randomization) and
a non-executable stack would deter an attacker. However, an
integer overflow
in GNU libc’s FORTIFY_SOURCE
support code can be used to bypass
FORTIFY_SOURCE
protection.
The bug is fixed in sudo 1.8.3p2. Sudo version 1.8.3p1 may be updated to version 1.8.3p2 via the file sudo-1.8.3p2.patch.gz. For sudo versions 1.8.0-1.8.3, the patch to sudo.c in sudo-1.8.3p2.patch.gz will also apply.
Thanks to joernchen of Phenoelit for finding and reporting the bug.