Sudo: Heap-based overflow with small passwords

279 点作者 thewavelength超过 2 年前

15 条评论

yakubin超过 2 年前

Sudo must be the program with the largest number of buffer overflows I’ve heard about. That news is repeating itself ever since I remember.Maybe a good time to plug doas, a simpler alternative to sudo from OpenBSD folks[1], developed partly due to security fears about sudo. It’s also been ported to Linux and is available in e.g. Alpine and Debian.[1]: <<a href="https://flak.tedunangst.com/post/doas" rel="nofollow">https://flak.tedunangst.com/post/doas</a>>

评论 #33468518 未加载

评论 #33468136 未加载

评论 #33467833 未加载

评论 #33467763 未加载

评论 #33468970 未加载

评论 #33471425 未加载

评论 #33477518 未加载

评论 #33467114 未加载

评论 #33467740 未加载

评论 #33478509 未加载

评论 #33469840 未加载

评论 #33467983 未加载

phoe-krk超过 2 年前

A fun one. Buffer overflows tend to usually get associated with providing too much data; here's a nice case in which an overflow is triggered by providing too little. Seems like the buffer for storing the password was changed to be dynamically allocated, but only in some parts of the code; other parts still treated it as something that is at least nine bytes long (including the null terminator).In practice, this means that if your password is only one char, then the actual buffer is two bytes long, and the seventh byte past the buffer is then zeroed/set to the null terminator. I wonder if and how this is exploitable.

评论 #33466754 未加载

评论 #33468179 未加载

评论 #33466421 未加载

评论 #33466240 未加载

评论 #33467006 未加载

评论 #33472629 未加载

singron超过 2 年前

It looks like this only affects DES passwords. Glibc has supported other hashing algorithms for a very long time and most Linux distros have used them by default for years. I don't think there is a way for an unprivileged user to choose DES if it's not the default, so it's very unlikely this can actually be triggered.

评论 #33470651 未加载

erk__超过 2 年前

Fixed upstream here: <a href="https://github.com/sudo-project/sudo/commit/bd209b9f16fcd1270c13db27ae3329c677d48050" rel="nofollow">https://github.com/sudo-project/sudo/commit/bd209b9f16fcd127...</a>

hardware2win超过 2 年前

Another day, another CVE in tool that we rely on everydayThe first question that we all want to askCould it be mitigated by safer, modern tech?

评论 #33466351 未加载

评论 #33466408 未加载

评论 #33466813 未加载

评论 #33467001 未加载

评论 #33466951 未加载

评论 #33466718 未加载

评论 #33466337 未加载

评论 #33473465 未加载

评论 #33470278 未加载

评论 #33466977 未加载

stabbles超过 2 年前

sudo feels like a broken concept to me in general.sudo make install, ok, great, some of the many operations you need to do requires privileges? Better give elevated privileges to all operations!Even worse with GUI: enter your password to install. Now I have absolutely no clue what the scope of sudo is.Of course I don't want to enter my password for all individual cp and mv operations, but if sudo had a better/smaller scope that'd be great.

评论 #33466734 未加载

评论 #33466541 未加载

评论 #33466649 未加载

评论 #33471826 未加载

评论 #33471512 未加载

评论 #33468685 未加载

评论 #33468566 未加载

alibob超过 2 年前

Why is "sudo 1.8.0 through 1.9.12" affected, but rhel8 shipping sudo 1.8.29 and rhel9 shipping sudo 1.9.5, are not affected?<<a href="https://access.redhat.com/security/cve/CVE-2022-43995" rel="nofollow">https://access.redhat.com/security/cve/CVE-2022-43995</a>><pre><code> Description: ... Sudo 1.8.0 through 1.9.12 ... Statement: The sudo package as distributed with Red Hat Enterprise Linux 7, 8 and 9 is not affected by this issue as it currently doesn't ship the affected code. </code></pre> <<a href="https://access.redhat.com/downloads/content/sudo/x86_64/package-latest" rel="nofollow">https://access.redhat.com/downloads/content/sudo/x86_64/pack...</a>><pre><code> 1.9.5p2-7.el9 1.8.29-8.el8</code></pre>

评论 #33558333 未加载

pdimitar超过 2 年前

Alright, this is getting tiring.Zig, Nim, Rust, D, V, whatever -- can't we just move on from C/C++ already? It's obvious they are not up for the job.

评论 #33477970 未加载

评论 #33475349 未加载

teddyh超过 2 年前

<a href="https://www.cve.org/CVERecord?id=CVE-2022-43995" rel="nofollow">https://www.cve.org/CVERecord?id=CVE-2022-43995</a>

millert超过 2 年前

As far as I can tell this is a non-issue. A single byte is written potentially outside a dynamically allocated buffer but the original contents is restored before the function returns (sudo is single-threaded). At best it could be a crash, but even that is unlikely unless using address sanitizer or valgrind.

Flocular超过 2 年前

Come on :D CVSS of 7.1, Complexity Low, Availability and Confidentiality High. sure...

评论 #33471831 未加载

TheBrokenRail超过 2 年前

Seriously, why is sudo so complicated? Most of the time, all sudo has to do is hash a password, check that hash against a file, and if successful, run a program as root.Why can't we just have a minimal version of sudo that does just that and only that so the majority of smaller servers and home users can run sudo without fear of a security bug ever other month? Preferably using the same executable path so that everything else doesn't break.It just seems like most of sudo's security bugs come from weird obscure features almost no one uses. Like that time sudoedit had a security issue. I didn't even know that command existed until it broke things, and it still seems pointless when you can just run "sudo nano" or "sudo vi".

评论 #33471225 未加载

评论 #33471058 未加载

effie超过 2 年前

This sort of fail isn't new to sudo, migrate to doas if you can - a much simpler(immensely) and less error-prone program.

v3ss0n超过 2 年前

Time to write sudo alternative in rust

评论 #33471557 未加载

评论 #33471340 未加载

zitterbewegung超过 2 年前

Overflow should be named hunter2 or sudoer2