Vulnerability Development mailing list archives
sudo segfaults on SIGINT during auth
From: Charles 'core' Stevenson <core () bokeoa com>
Date: Fri, 18 Jan 2002 21:40:51 -0700
Hello,
I'm not sure how to debug this just yet. I attached to the process from
another terminal but when I throw the SIGINT gdb catches it... which is
annoying. How can I turn that off? Is this exploitable?
[20:10:08] core@euclid ~/
[3]% sudo ls
Password:(ctrl-c aka SIGINT)
zsh: segmentation fault sudo ls
euclid:~# gdb -q `which sudo` `pidof sudo`
(no debugging symbols found).../root/948: No such file or directory.
Attaching to program: /usr/bin/sudo, process 948
Reading symbols from /lib/libcrypt.so.1...
(no debugging symbols found)...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /lib/libdl.so.2...(no debugging symbols
found)...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib/libpam.so.0...(no debugging symbols
found)...done.
Loaded symbols for /lib/libpam.so.0
Reading symbols from /lib/libc.so.6...(no debugging symbols
found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/ld.so.1
Reading symbols from /lib/libnss_compat.so.2...(no debugging symbols
found)...
done.
Loaded symbols for /lib/libnss_compat.so.2
Reading symbols from /lib/libnsl.so.1...(no debugging symbols
found)...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /lib/libnss_files.so.2...(no debugging symbols
found)...
done.
Loaded symbols for /lib/libnss_files.so.2
Reading symbols from /lib/security/pam_unix.so...
(no debugging symbols found)...done.
Loaded symbols for /lib/security/pam_unix.so
0x0fee0c20 in read () from /lib/libc.so.6
(gdb) c
Continuing.
Program received signal SIGINT, Interrupt.
0x0fee0c20 in read () from /lib/libc.so.6
(gdb) bt
#0 0x0fee0c20 in read () from /lib/libc.so.6
#1 0x10008088 in _init ()
#2 0x10007d84 in _init ()
#3 0x10008a94 in _init ()
#4 0x0fd46510 in _log_err () from /lib/security/pam_unix.so
#5 0x0fd4786c in _unix_read_password () from /lib/security/pam_unix.so
#6 0x0fd44130 in pam_sm_authenticate () from /lib/security/pam_unix.so
#7 0x0ff6a6e4 in pam_fail_delay () from /lib/libpam.so.0
#8 0x0ff6aa04 in _pam_dispatch () from /lib/libpam.so.0
#9 0x0ff6c4d4 in pam_authenticate () from /lib/libpam.so.0
#10 0x10008778 in _init ()
#11 0x100083d4 in _init ()
#12 0x10001dc8 in _init ()
#13 0x10006460 in _init ()
#14 0x0fe31a30 in __libc_start_main () from /lib/libc.so.6
...
euclid:~# strace -ip`pidof sudo`
[0fee0c20] --- SIGSTOP (Stopped (signal)) ---
[0fee0c20] read(4, 0x7ffff258, 1) = ? ERESTARTSYS (To be
restarted)
[0fee0c20] --- SIGINT (Interrupt) ---
[0fee0c30] write(4, "\n", 1) = 1
[0feee41c] ioctl(4, 0x802c7416, 0x7ffff238) = 0
[0fe472b4] rt_sigaction(SIGINT, {SIG_IGN}, NULL, 8) = 0
[0fe472b4] rt_sigaction(SIGHUP, {SIG_DFL}, NULL, 8) = 0
[0fe472b4] rt_sigaction(SIGQUIT, {SIG_IGN}, NULL, 8) = 0
[0fe472b4] rt_sigaction(SIGTERM, {SIG_DFL}, NULL, 8) = 0
[0fe472b4] rt_sigaction(SIGTSTP, {SIG_DFL}, NULL, 8) = 0
[0fe472b4] rt_sigaction(SIGTTIN, {SIG_DFL}, NULL, 8) = 0
[0fe472b4] rt_sigaction(SIGTTOU, {SIG_DFL}, NULL, 8) = 0
[0fee0c10] close(4) = 0
[0febde00] getpid() = 1028
[0fe45f28] kill(1028, SIGINT) = 0
[0fe45f28] --- SIGINT (Interrupt) ---
[0fee7178] brk(0x10035000) = 0x10035000
[0feb13b4] time([1011410859]) = 1011410859
[0febde00] getpid() = 1028
[0fe472b4] rt_sigaction(SIGPIPE, {0xfeeaabc, [], 0}, {SIG_IGN}, 8) = 0
[0feeed00] socket(PF_UNIX, SOCK_DGRAM, 0) = 4
[0feee47c] fcntl64(0x4, 0x2, 0x1) = 0
[0feeea9c] connect(4, {sin_family=AF_UNIX, path="/dev/log"}, 16) = 0
[0feeec14] send(4, "<37>Jan 18 20:27:39 PAM_unix[102"..., 74, 0) = 74
[0fe472b4] rt_sigaction(SIGPIPE, {SIG_IGN}, NULL, 8) = 0
[0fee0c10] close(4) = 0
[0fee0b28] open("/etc/passwd", O_RDONLY) = 4
[0feee47c] fcntl64(0x4, 0x1, 0) = 0
[0feee47c] fcntl64(0x4, 0x2, 0x1) = 0
[0feee48c] fstat64(0x4, 0x7ffff4c8) = 0
[0feeadec] mmap(NULL, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x30015000
[0feee43c] _llseek(0x4, 0, 0, 0x7ffff538, 0x1) = 0
[0fee0c20] read(4, "root:x:0:0:root:/root:/bin/zsh\nd"..., 4096) = 1015
[0fee0c10] close(4) = 0
[0feeaf8c] munmap(0x30015000, 4096) = 0
[0fee0b28] open("/etc/shadow", O_RDONLY) = 4
[0feee47c] fcntl64(0x4, 0x1, 0) = 0
[0feee47c] fcntl64(0x4, 0x2, 0x1) = 0
[0feee48c] fstat64(0x4, 0x7ffff058) = 0
[0feeadec] mmap(NULL, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x30015000
[0feee43c] _llseek(0x4, 0, 0, 0x7ffff0c8, 0x1) = 0
[0fee0c20] read(4, "root:( censored ;):11514:0:99999"..., 4096) = 690
[0fee0c10] close(4) = 0
[0feeaf8c] munmap(0x30015000, 4096) = 0
[0fe93918] --- SIGSEGV (Segmentation fault) ---
[20:10:11] core@euclid ~/
[4]% dpkg -l sudo
Desired=Unknown/Install/Remove/Purge/Hold
|
Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err:
uppercase=bad)
||/ Name Version Description
+++-==============-==============-============================================
ii sudo 1.6.4p1-1 Provides limited super user privileges
to sp
Seems like maybe this was something that was fixed?
sudo (1.6.4p1-1) unstable; urgency=high
* new upstream version, with fix for segfaulting problem in 1.6.4
-- Bdale Garbee <bdale () gag com> Mon, 14 Jan 2002 20:09:46 -0700
sudo (1.6.4-1) unstable; urgency=high
* new upstream version, includes an important security fix, closes:
#127576
-- Bdale Garbee <bdale () gag com> Mon, 14 Jan 2002 09:35:48 -0700
Best Regards,
Charles 'core' Stevenson
Current thread:
- sudo segfaults on SIGINT during auth Charles 'core' Stevenson (Jan 20)
- Re: sudo segfaults on SIGINT during auth Todd C. Miller (Jan 21)