Security hole in Sudo's debug option closed
A hole in the sudo command's debug options has been fixed by the developers. The problem, discovered by joernchen of phenoelit, affects sudo versions 1.8.0 to 1.8.3p1. The sudo command is used extensively by Linux distributions, Mac OS X and other Unix operating systems to allow users to execute commands with super user privileges without logging in as root, and is often heavily relied upon. The security hole appeared in version 1.8.0 when a new simple debugging option was added.
Designed to assist administrators developing security policies, the debug option printed various messages. The messages included the name of the program being run, taken from argv; however, argv is controllable by the person calling the program. For example, by setting a symbolic link to the program with
ln -s /usr/bin/sudo ./%s and then running
%s -D9, the string
%s is passed to the fprintf string formatter and will cause the program to crash as it tries to read a parameter off the stack that isn't there.
A number of well known techniques exist for exploiting that problem that would in turn allow an attacker to leverage sudo's root privileges and, without even being listed in the sudoers file, gain that privilege and run arbitrary commands as root.
As a workaround, the developers recommend the compilation of sudo with the FORTIFY_SOURCE option set on systems that support it (most Linux and BSD systems) to increase the complexity of exploiting the format string, but this option does not completely prevent exploitation as demonstrated in an article in Phrack magazine.
Linux distributions that include sudo by default are also being updated. Fixes for Debian, Gentoo, Mageia are being prepared or have been released. The flaw does not affect Red Hat Enterprise Linux 4, 5 or 6 as, according to Red Hat, they did not ship with the vulnerable version of sudo, but Fedora 16 is affected and an updated package will be made available soon. Mac OS X 10.7 is unaffected as it still ships with sudo version 1.7.4p6.