FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Hardened

 
 
LinkBack Thread Tools
 
Old 01-31-2012, 02:12 PM
RB
 
Default New sudo format string vuln

Not sure how much testing anyone else has done (and it warrants more
testing), but I just tested this on a rather out-of-date machine
running hardened-sources-3.0.4 and sudo-1.8.2-r1. I had brute-force
prevention enabled, and not only was the vulnerability not successful,
I was locked out from all execution under my UID for 15 minutes -
couldn't even su over from root. Definite win for hardened!
 
Old 01-31-2012, 02:19 PM
Javier Juan Martínez Cabezón
 
Default New sudo format string vuln

Systems compiled with -D_Fortify_source=2 are not vulnerable. If I'm not wrong it's a format string vulnerability.

2012/1/31 RB <aoz.syn@gmail.com>

Not sure how much testing anyone else has done (and it warrants more

testing), but I just tested this on a rather out-of-date machine

running hardened-sources-3.0.4 and sudo-1.8.2-r1. *I had brute-force

prevention enabled, and not only was the vulnerability not successful,

I was locked out from all execution under my UID for 15 minutes -

couldn't even su over from root. *Definite win for hardened!
 
Old 01-31-2012, 04:29 PM
Agostino Sarubbo
 
Default New sudo format string vuln

On Tuesday 31 January 2012 16:19:53 Javier Juan Martínez Cabezón wrote:
> Systems compiled with -D_Fortify_source=2 are not vulnerable. If I'm not
> wrong it's a format string vulnerability.

Not very sure about it. From the original advisory:

he above example shows the result of FORTIFY_SOURCE which makes explotitation
painful but not impossible (see [0]). Without FORTIFY_SOURCE the exploit is
straight forward.

--
Agostino Sarubbo ago -at- gentoo.org
Gentoo/AMD64 Arch Security Liaison
GPG: 0x7CD2DC5D
 

Thread Tools




All times are GMT. The time now is 10:05 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org