Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Undisclosed Sudo Vulnerability ?

From: Ben Hawkes <ben.hawkes () paradise net nz>
Date: Tue, 02 Aug 2005 18:45:47 +1200
On Mon, Aug 01, 2005 at 09:57:51PM -0500, Ron wrote:

Haha nice, I was just getting ready to run it on my sacrificial VMWare
box, but you saved me the trouble of hitting "undo" :-)

Kurt Seifried wrote:

This is a trojan that will nuke all the files owned by the user running it.

-Kurt

----- Original Message ----- From: "Esler, Joel - Contractor"
<joel.esler () rcert-s army mil>
To: <full-disclosure () lists grok org uk>
Sent: Saturday, July 30, 2005 12:40 PM
Subject: [Full-disclosure] Undisclosed Sudo Vulnerability ?



About two weeks ago, our proprietary LIDS detected some suspicious shell
activity on an internal .mil machine i am in charged of. Our server runs
latest up2date Debian GNU/Linux on 2.4.31 x86 with grsec/PaX enabled.
Before shutting down the machine and reinstalling it from scratch, we
installed sebek module to monitor all shell activity. Based on the data
we gathered, it seems the attacker gained root privileges using an
undisclosed bug in latest sudo.



I don't know if anyone has mentioned this as I just got back on the
list, but the technical side of this is actually pretty impressive.
Of course, the malicious shellcode is always going to give away a fake
exploit, but the way in which this specific piece of code diverts the 
execution path from binary to the "shellcode" is particularly devious.

So I did a quick sweep of the code, and normally it takes about two seconds
to spot the line that diverts execution (things like function pointers
set to the "shellcode" or fairly obvious overflows). But this time I
couldn't see anything that would obviously cause the redirection, just a
few strange casts. So I fired up gdb, and was eventually led to the fact
that alloca() was treating the second #define as a byte argument.
Combined with the fact that alloca() performs 16-byte alignment, the
second of these calls was effectively equivalent to alloca(0).

Obviously this results in an overflow of the saved return address on
the stack, which results in the diversion. The other interesting thing 
is that the shellcode is very purposefully appended to the .text section, 
which as I see it can only be for one reason, PaX evasion. 

Certainly a waste of time, but a reasonably interesting and insightful 
waste of time nonetheless.

-- 
Ben Hawkes (fiver)
http://pie.sf.net/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: