About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Buffer Overflow in Sudo - 151

Dylan KatzPosted 6 Years Ago
  • There is a buffer overflow in Sudo! In order for this to occur, a the pwfeedback feature needs to be turned on.
  • The bug occurs because of bad parsing in certain situations where characters cannot be written back to the terminal. In order to exploit this, create a pty (pseudo terminal) and set this to READ ONLY.
  • The bad parsing occurs when a pointer (cp or current pointer) does not get reset back to its original value when the write error occurs.
  • The exploitation was actually really straight forward! The overflowed buffer existed in .bss. Because the overflow occurred in .bss there are no canaries. So, there is no way to detect if a bug has occurred or not at the binary level.
  • Quite a ways down into the .bss section is a variable called User Details. By overriding the uid field in this struct with 0's, we can execute a privilege execution to become root (uid 0).
  • Another fantastic write up for the exploit: iamalsaher

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed