kdesudo crashed with SIGSEGV in strlen()

Bug #281877 reported by Flavelle on 2008-10-11
60
This bug affects 1 person
Affects Status Importance Assigned to Milestone
KdeSudo
Undecided
Unassigned
kdesudo (Ubuntu)
Medium
Unassigned
Declined for Jaunty by Kees Cook

Bug Description

Binary package hint: kdesudo

on reboot after update

ProblemType: Crash
Architecture: i386
CrashCounter: 1
DistroRelease: Ubuntu 8.10
ExecutablePath: /usr/bin/kdesudo
Package: kdesudo 3.3.1-0ubuntu1
ProcAttrCurrent: unconfined
ProcCmdline: /usr/lib/kde4/libexec/kdesu qt-language-selector\ --mode\ select
ProcEnviron:
 LANGUAGE=en_US
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
 LANG=en_CA.UTF-8
 SHELL=/bin/bash
Signal: 11
SourcePackage: kdesudo
Stacktrace:
 #0 0xb6df629b in strlen () from /lib/tls/i686/cmov/libc.so.6
 #1 0xb6dc2830 in vfprintf () from /lib/tls/i686/cmov/libc.so.6
 #2 0xb6e77157 in __fprintf_chk () from /lib/tls/i686/cmov/libc.so.6
 #3 0x0804f4ce in _start ()
StacktraceTop:
 strlen () from /lib/tls/i686/cmov/libc.so.6
 vfprintf () from /lib/tls/i686/cmov/libc.so.6
 __fprintf_chk () from /lib/tls/i686/cmov/libc.so.6
 _start ()
Title: kdesudo crashed with SIGSEGV in strlen()
Uname: Linux 2.6.27-7-generic i686
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare

Related branches

Flavelle (flavelle.ballem) wrote :

StacktraceTop:strlen () from /lib/tls/i686/cmov/libc.so.6
vfprintf () from /lib/tls/i686/cmov/libc.so.6
__fprintf_chk () from /lib/tls/i686/cmov/libc.so.6
KdeSudo::parseOutput (this=0xbf9bf150) at /usr/include/bits/stdio2.h:99
KdeSudo::qt_metacall (this=0xbf9bf150, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0xbf9be928)

Changed in kdesudo:
importance: Undecided → Medium
Peter Poklop (peter-poklop) wrote :

This bug is easy to reproduce, for example with the command line " kdesudo echo "%s" ".
As far as i can see the reason is the fprintf statement in KdeSudo::parseOutput which falsely tries to interpret the parameters in the string.

tbjablin (tjablin) wrote :

This is a formating string vulnerability. It is almost certainly exploitable. I have attached the trivial patch.

tbjablin (tjablin) on 2009-04-09
Changed in kdesudo (Ubuntu):
assignee: nobody → tonio
Kees Cook (kees) wrote :

This is certainly a bug, but kdesudo is just a wrapper around sudo. While it does expand the arguments incorrectly, this isn't exploitable short of tricking someone to run kdesudo on a huge weird-looking commandline that would just fail anyway since glibc would block any use of %n. Unflagged as security.

security vulnerability: yes → no
Changed in kdesudo (Ubuntu):
importance: Medium → Low
status: New → Triaged
Changed in kdesudo (Ubuntu):
assignee: Anthony Mercatante (tonio) → nobody
importance: Low → Medium

I also got a crash today, when I tried to run a backup utility named 'Back in Time'. I think it looks same as this bug.

$ kdesudo -v
Qt: 4.4.3
KDE: 4.2.2 (KDE 4.2.2)
KdeSudo: 3.1

Application: KdeSudo (kdesudo), signal SIGSEGV
[Current thread is 0 (LWP 24096)]

Thread 2 (Thread 0xb5098b90 (LWP 24097)):
#0 0xb7fed430 in __kernel_vsyscall ()
#1 0xb6d73df1 in select () from /lib/tls/i686/cmov/libc.so.6
#2 0xb7c8e150 in ?? () from /usr/lib/libQtCore.so.4
#3 0xb7bbe6ae in ?? () from /usr/lib/libQtCore.so.4
#4 0xb69ab50f in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#5 0xb6d7ba0e in clone () from /lib/tls/i686/cmov/libc.so.6

Thread 1 (Thread 0xb663c6c0 (LWP 24096)):
[KCrash Handler]
#6 0xb6d17d88 in wcslen () from /lib/tls/i686/cmov/libc.so.6
#7 0xb6d190ad in wcsrtombs () from /lib/tls/i686/cmov/libc.so.6
#8 0xb6cddff1 in vfprintf () from /lib/tls/i686/cmov/libc.so.6
#9 0xb6d922d7 in __fprintf_chk () from /lib/tls/i686/cmov/libc.so.6
#10 0x0804f4ce in _start ()

Thanks a lot...

tbjablin (tjablin) wrote :

I submitted a patch for this bug three months ago, and it continues to affect other users. If someone will add me to the Kubuntu KdeSudo Development Team I will add it myself. Otherwise, could someone else apply me patch? Also, Kees Cook is incorrect about %n, which continues to work for me.

Kees Cook (kees) wrote :

The issue isn't if %n works, but if %n is in writable memory:

$ kdesudo echo "%x%x%n"
*** %n in writable segment detected ***

Test programs to see this need to have writable memory, and be compiled -O2 (the default for kdesudo).

It's also unimportant because there are no privileges yet when the expansion occurs. The output is being run as root, that's true, but again, the user must know the root password to have this happen, so there's no escalation of existing privileges. The case for user-assisted attacks is very unlikely. (Though perhaps I'm just being uncreative when it comes to %-expansions.)

This is a bug, and needs to be fixed, though. I'll go poke the maintainer again.

Changed in kdesudo:
status: New → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kdesudo - 3.4.2-0ubuntu1

---------------
kdesudo (3.4.2-0ubuntu1) karmic; urgency=low

  [ Anthony Mercatante ]
  * New upstream release:
    - Closes LP: #281877
    - Closes LP: #258799
    - Closes Debian #525292
    - Closes LP: #365956

  [ Florian Reinhard ]
  * Closes LP: #285084

 -- Florian Reinhard <email address hidden> Thu, 25 Jun 2009 23:02:47 +0200

Changed in kdesudo (Ubuntu):
status: Triaged → Fix Released
Changed in kdesudo:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers