Ubuntu
sudo package

sudo emails contain random buffer contents if hostname can't be resolved

Bug #530073 reported by Nikolaus Rath
300
This bug affects 9 people
Affects Status Importance Assigned to Milestone
sudo
Unknown
Unknown
sudo (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: sudo

To reproduce:

1. instal libnss-extrausers
2. make sure the hostname cannot be resolved by removing it from /etc/hosts:

# hostname
spitzer
# hostname -f
hostname: Unknown host

Now run

# sudo -u "$admin_user" /bin/true
sudo: unable to resolve host spitzer

This will send a completely garbled error message to the administrator that gives no clue of what went wrong and where to look for it:

To: <email address hidden>
From: <email address hidden>
Auto-Submitted: auto-generated
Subject: *** SECURITY information for spitzer ***

spitzer : Feb 26 06:25:01 : root : /usr/lib/libnss_extrausers.so.2

Tags: patch
Revision history for this message
Toby Corkindale (tjc-wintrmute) wrote :

I have identified this bug too, but worse, it seems to be sending an uninitialised buffer in the emails!

(I was doing a "sudo -s" rather than "sudo /bin/true" or whatever.)

To: <email address hidden>
Subject: *** SECURITY information for arya ***

arya : Apr 20 16:13:28 : tobyc : `¨g

To: <email address hidden>
Subject: *** SECURITY information for arya ***

arya : Apr 20 16:15:16 : tobyc : `d

Revision history for this message
Toby Corkindale (tjc-wintrmute) wrote :

Oh, I should mention which version I'm using:

$ aptitude show sudo
Package: sudo
State: installed
Version: 1.7.0-1ubuntu2.2

Revision history for this message
Toby Corkindale (tjc-wintrmute) wrote :

This is the upstream bug - there's a patch there too that could be applied to Ubuntu I think?

http://www.sudo.ws/sudo/bugs/show_bug.cgi?id=390

Nikolaus Rath (nikratio)
Changed in sudo (Ubuntu):
status: New → Confirmed
Revision history for this message
Nikolaus Rath (nikratio) wrote :

Can someone please apply the upstream patch? It's a two liner, and having the contents of some random portion of memory send around via email is definitely not a good thing.

tags: added: patch
summary: - Sends garbled security warnings if hostname can't be resolved
+ sudo emails contain random buffer contents if hostname can't be resolved
Revision history for this message
Pi Delport (pi-delport) wrote :

I can confirm this affects our 10.04 LTS server (Sudo version 1.7.2p1), and is fixed in 10.10 (Sudo version 1.7.2p7). (The upstream fix was released in 1.7.2p3)

Note that this bug may be more serious than indicated:

1. It does not only affect the case of having an unresolvable hostname, but potentially any call to log_error(). (If i understand correctly, all log_error() calls with the MSG_ONLY flag set will be corrupted.)

2. The impact is not limited to emailing: in addition to send_mail(), both do_syslog() and do_logfile() are called with the bad buffer. From testing on our server, this results in all affected messages being omitted from syslog, too. (Just to confirm: the upstream patch fixes logging in addition to emailing.)

Given this, i think this bug should be escalated in severity to a potential security vulnerability: people rely on sudo's logging to work as advertised , and this bug causes a complete failure to log certain error messages that may indicate a real security breach.

Revision history for this message
The Gavitron (me-gavitron) wrote :

Agree w/ comment #5, this is a security vulnerability, and should be backported to 10.04LTS. I found this bug on our systems while doing a security audit of "those random emails that come in from root." Thankfully, it's a bug, not a security breach, but this could probably be used to mask malicious activity if one manages to bork DNS on a compromised host.

Revision history for this message
Ilmari Vacklin (wolverian) wrote :

Set the bug as a security vulnerability.

security vulnerability: no → yes
Revision history for this message
Steve Langasek (vorlon) wrote :

This is fixed upstream in version 1.8.2, included in precise.

Changed in sudo (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.