From owner-freebsd-ports@FreeBSD.ORG Mon Jan 30 15:37:16 2012 Return-Path: Delivered-To: ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EF6661065672 for ; Mon, 30 Jan 2012 15:37:16 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-yx0-f182.google.com (mail-yx0-f182.google.com [209.85.213.182]) by mx1.freebsd.org (Postfix) with ESMTP id 9433D8FC16 for ; Mon, 30 Jan 2012 15:37:16 +0000 (UTC) Received: by yenq3 with SMTP id q3so1967820yen.13 for ; Mon, 30 Jan 2012 07:37:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:message-id:mime-version:content-type :content-disposition; bh=we3EgSobghtf5KxOzg86vXs2dlP3Q6BHsGE8cu4WRMc=; b=OIkFN1LfoGAO0puZAs1cqcIwXkALkSpX7JOAM+sEhrzmZqDHFFGJPArsCpPXSmWhbd 4tj5ejI5YN+PnhevySccvoUh1yHi0YsuF2tFPpWPUsXcrzmis9L16JYpfRJKBcelbNQ9 n2p//pfAx7hpsuW/P2zImKeMefXPZO5UZbdPQ= Received: by 10.236.118.195 with SMTP id l43mr26299481yhh.97.1327937835930; Mon, 30 Jan 2012 07:37:15 -0800 (PST) Received: from DataIX.net (adsl-99-19-42-1.dsl.klmzmi.sbcglobal.net. [99.19.42.1]) by mx.google.com with ESMTPS id 9sm47196479ans.15.2012.01.30.07.37.11 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 30 Jan 2012 07:37:12 -0800 (PST) Sender: Jason Hellenthal Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.5/8.14.5) with ESMTP id q0UFb8xC090296 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 30 Jan 2012 10:37:09 -0500 (EST) (envelope-from jhell@DataIX.net) Received: (from jhell@localhost) by DataIX.net (8.14.5/8.14.5/Submit) id q0UFb80t090208; Mon, 30 Jan 2012 10:37:08 -0500 (EST) (envelope-from jhell@DataIX.net) Date: Mon, 30 Jan 2012 10:37:08 -0500 From: Jason Hellenthal To: ports@freebsd.org Message-ID: <20120130153708.GA35684@DataIX.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Cc: wxs@freebsd.org Subject: [joernchen@phenoelit.de: [Full-disclosure] Advisory: sudo 1.8 Format String Vulnerability] X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Jan 2012 15:37:17 -0000 Please update this port. ----- Forwarded message from joernchen of Phenoelit ----- Date: Mon, 30 Jan 2012 14:56:26 +0100 From: joernchen of Phenoelit To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com Subject: [Full-disclosure] Advisory: sudo 1.8 Format String Vulnerability User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20111224 Thunderbird/9.0.1 Hi, FYI, see attached. cheers, joernchen -- joernchen ~ Phenoelit ~ C776 3F67 7B95 03BF 5344 http://www.phenoelit.de ~ A46A 7199 8B7B 756A F5AC Phenoelit Advisory [ Authors ] joernchen Phenoelit Group (http://www.phenoelit.de) [ Affected Products ] sudo 1.8.0 - 1.8.3p1 (http://sudo.ws) [ Vendor communication ] 2012-01-24 Send vulnerability details to sudo maintainer 2012-01-24 Maintainer is embarrased 2012-01-27 Asking maintainer how the fixing goes 2012-01-27 Maintainer responds with a patch and a release date of 2012-01-30 for the patched sudo and advisory 2012-01-30 Release of this advisory [ Description ] Observe src/sudo.c: void sudo_debug(int level, const char *fmt, ...) { va_list ap; char *fmt2; if (level > debug_level) return; /* Backet fmt with program name and a newline to make it a single write */ easprintf(&fmt2, "%s: %s\n", getprogname(), fmt); va_start(ap, fmt); vfprintf(stderr, fmt2, ap); va_end(ap); efree(fmt2); } Here getprogname() is argv[0] and by this user controlled. So argv[0] goes to fmt2 which then gets vfprintf()ed to stderr. The result is a Format String vulnerability. [ Example ] /tmp $ ln -s /usr/bin/sudo %n /tmp $ ./%n -D9 *** %n in writable segment detected *** Aborted /tmp $ A note regarding exploitability: The above example shows the result of FORTIFY_SOURCE which makes explotitation painful but not impossible (see [0]). Without FORTIFY_SOURCE the exploit is straight forward: 1. Use formatstring to overwrite the setuid() call with setgid() 2. Trigger with formatstring -D9 3. Make use of SUDO_ASKPASS and have shellcode in askpass script 4. As askpass will be called after the formatstring has overwritten setuid() the askepass script will run with uid 0 5. Enjoy the rootshell [ Solution ] Update to version 1.8.3.p2 [ References ] [0] http://www.phrack.org/issues.html?issue=67&id=9 [ end of file ] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ----- End forwarded message ----- -- ;s =;