January 30, 2012
A flaw exists in the debugging code in sudo versions 1.8.0 through
1.8.3p1 that can be used to crash sudo or potentially allow an
unauthorized user to elevate privileges.
Sudo versions affected:
1.8.0 through 1.8.3p1 inclusive. Older versions of sudo are not
This vulnerability has been assigned CVE-2012-0809
in the Common Vulnerabilities and
Sudo 1.8.0 introduced simple debugging support that was primarily
intended for use when developing policy or I/O logging plugins.
The sudo_debug() function contains a flaw where the program name
is used as part of the format string passed to the fprintf() function.
The program name can be controlled by the caller, either via a
symbolic link or, on some systems, by setting argv when executing
sudo. For example:
$ ln -s /usr/bin/sudo ./%s
$ ./%s -D9
Using standard format string vulnerability exploitation techniques
it is possible to leverage this bug to achieve root privileges.
Successful exploitation of the bug will allow a user to run arbitrary
commands as root.
Exploitation of the bug does not require that the
attacker be listed in the sudoers file. As such, we strongly suggest
that affected sites upgrade from affected sudo versions as soon as
There is no workaround other than removing the setuid bit from the
sudo binary (and rendering it unusable).
It was initially believed that building sudo with FORTIFY_SOURCE
in conjunction with ASLR (address space layout randomization) and
a non-executable stack would deter an attacker. However, an integer
overflow in GNU libc's FORTIFY_SOURCE support code can
be used to bypass FORTIFY_SOURCE protection.
The bug is fixed in sudo 1.8.3p2. Sudo version 1.8.3p1 may be
updated to version 1.8.3p2 via the file sudo-1.8.3p2.patch.gz. For
sudo versions 1.8.0-1.8.3, the patch to sudo.c in sudo-1.8.3p2.patch.gz
will also apply.
Thanks to joernchen of Phenoelit for finding and reporting the bug.