Ken Raeburn
2010-Jan-13 23:17 UTC
[Secure-testing-team] Bug#565223: possible vulnerability in sudo glob processing
Package: sudo
Version: 1.6.9p17-2
Severity: grave
Tags: security patch
Justification: user security hole
I''m investigating #556562 (wildcard "*" sudoers rules are
broken),
filed by a co-worker. I discovered it''s your basic use-after free
problem, fixed by the following patch:
--- parse.c 2010/01/13 21:59:04 1.1
+++ parse.c 2010/01/13 21:59:12
@@ -316,9 +316,11 @@
break;
}
}
- globfree(&gl);
- if (*ap == NULL)
+ if (*ap == NULL) {
+ globfree(&gl);
return(FALSE);
+ }
+ globfree(&gl);
if (!sudoers_args ||
(!user_args && sudoers_args &&
!strcmp("\"\"", sudoers_args)) ||
However, in tracking down just why globfree causes *ap to be NULL in
our case, and digging into the malloc/free implementation details, it
appears that the first word stored in the freed object (in this case
the gl.gl_pathv array) can be overwritten with a linked-list pointer.
Depending on the block size, other fields can be overwritten too.
This means it may be influenced by other malloc/free activity in the
process, and the number of entries in the directory matching the glob
pattern, and the lengths of the filenames freed up before the
gl.gl_pathv array itself is freed up, and I have not yet convinced
myself that the first isn''t subject to some amount of control by an
attacker logged in to the system. If the attacker can cause *ap to be
non-null when it shouldn''t be, he may be able to execute commands he
shouldn''t be able to.
-- System Information:
Debian Release: 5.0.3
APT prefers stable
APT policy: (1001, ''stable'')
Architecture: i386 (i686)
Kernel: Linux 2.6.30-2-permabit1-686-bigmem (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages sudo depends on:
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libpam-modules 1.0.1-5+lenny1 Pluggable Authentication Modules f
ii libpam0g 1.0.1-5+lenny1 Pluggable Authentication Modules l
sudo recommends no packages.
sudo suggests no packages.
-- no debconf information