Full Disclosure mailing list archives
Re: Undisclosed Sudo Vulnerability ?
From: Ben Hawkes <ben.hawkes () paradise net nz>
Date: Tue, 02 Aug 2005 18:45:47 +1200
On Mon, Aug 01, 2005 at 09:57:51PM -0500, Ron wrote:
Haha nice, I was just getting ready to run it on my sacrificial VMWare box, but you saved me the trouble of hitting "undo" :-) Kurt Seifried wrote:This is a trojan that will nuke all the files owned by the user running it. -Kurt ----- Original Message ----- From: "Esler, Joel - Contractor" <joel.esler () rcert-s army mil> To: <full-disclosure () lists grok org uk> Sent: Saturday, July 30, 2005 12:40 PM Subject: [Full-disclosure] Undisclosed Sudo Vulnerability ?About two weeks ago, our proprietary LIDS detected some suspicious shell activity on an internal .mil machine i am in charged of. Our server runs latest up2date Debian GNU/Linux on 2.4.31 x86 with grsec/PaX enabled. Before shutting down the machine and reinstalling it from scratch, we installed sebek module to monitor all shell activity. Based on the data we gathered, it seems the attacker gained root privileges using an undisclosed bug in latest sudo.
I don't know if anyone has mentioned this as I just got back on the list, but the technical side of this is actually pretty impressive. Of course, the malicious shellcode is always going to give away a fake exploit, but the way in which this specific piece of code diverts the execution path from binary to the "shellcode" is particularly devious. So I did a quick sweep of the code, and normally it takes about two seconds to spot the line that diverts execution (things like function pointers set to the "shellcode" or fairly obvious overflows). But this time I couldn't see anything that would obviously cause the redirection, just a few strange casts. So I fired up gdb, and was eventually led to the fact that alloca() was treating the second #define as a byte argument. Combined with the fact that alloca() performs 16-byte alignment, the second of these calls was effectively equivalent to alloca(0). Obviously this results in an overflow of the saved return address on the stack, which results in the diversion. The other interesting thing is that the shellcode is very purposefully appended to the .text section, which as I see it can only be for one reason, PaX evasion. Certainly a waste of time, but a reasonably interesting and insightful waste of time nonetheless. -- Ben Hawkes (fiver) http://pie.sf.net/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Undisclosed Sudo Vulnerability ? Ron (Aug 01)
- Re: Undisclosed Sudo Vulnerability ? Ben Hawkes (Aug 01)