Todd Miller sudo up to 1.8.3p1 src/sudo.c sudo_debug format string
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.7 | $0-$5k | 0.00 |
Summary
A vulnerability categorized as problematic has been discovered in Todd Miller sudo up to 1.8.3p1. Affected is the function sudo_debug of the file src/sudo.c. Such manipulation with the input %x leads to format string.
This vulnerability is documented as CVE-2012-0809. The attack needs to be performed locally. Additionally, an exploit exists.
It is advisable to upgrade the affected component.
Details
A vulnerability was found in Todd Miller sudo up to 1.8.3p1 (Operating System Utility Software) and classified as critical. Affected by this issue is the function sudo_debug of the file src/sudo.c. The manipulation with the input value %x leads to a format string vulnerability. Using CWE to declare the problem leads to CWE-134. The product uses a function that accepts a format string as an argument, but the format string originates from an external source. Impacted is confidentiality, integrity, and availability. CVE summarizes:
Format string vulnerability in the sudo_debug function in Sudo 1.8.0 through 1.8.3p1 allows local users to execute arbitrary code via format string sequences in the program name for sudo.
The weakness was released 01/30/2012 by joernchen with Phenoelit (Website). The advisory is available at sudo.ws. The public release was coordinated with the vendor. This vulnerability is handled as CVE-2012-0809 since 01/19/2012. The exploitation is known to be difficult. Local access is required to approach this attack. No form of authentication is required for exploitation. Technical details as well as a public exploit are known.
A public exploit has been developed by joernchen and been published 1 days after the advisory. The exploit is available at exploit-db.com. It is declared as proof-of-concept. As 0-day the estimated underground price was around $5k-$25k. The vulnerability scanner Nessus provides a plugin with the ID 74791 (openSUSE Security Update : sudo (openSUSE-2012-73)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family SuSE Local Security Checks. The commercial vulnerability scanner Qualys is able to test this issue with plugin 120903 (Solaris 11 Support Repository Update (SRU) 7.5 Missing).
Upgrading to version 1.8.3p2 eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at X-Force (72781), Exploit-DB (18436), Tenable (74791), SecurityFocus (BID 51719†) and OSVDB (78659†). Entries connected to this vulnerability are available at VDB-4709, VDB-4708, VDB-5262 and VDB-5263. If you want to get best quality of vulnerability data, you may have to visit VulDB.
Product
Type
Vendor
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.4VulDB Meta Temp Score: 6.7
VulDB Base Score: 7.4
VulDB Temp Score: 6.7
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Format stringCWE: CWE-134 / CWE-119
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: No
Availability: 🔍
Access: Public
Status: Proof-of-Concept
Author: joernchen
Download: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 74791
Nessus Name: openSUSE Security Update : sudo (openSUSE-2012-73)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Port: 🔍
OpenVAS ID: 70739
OpenVAS Name: FreeBSD Ports: sudo
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Exploit-DB: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Exploit Delay Time: 🔍
Upgrade: sudo 1.8.3p2
Timeline
01/19/2012 🔍01/30/2012 🔍
01/30/2012 🔍
01/30/2012 🔍
01/30/2012 🔍
01/31/2012 🔍
01/31/2012 🔍
01/31/2012 🔍
01/31/2012 🔍
01/31/2012 🔍
02/07/2012 🔍
02/21/2012 🔍
06/13/2014 🔍
06/23/2024 🔍
Sources
Advisory: sudo.wsResearcher: joernchen
Organization: Phenoelit
Status: Confirmed
Confirmation: 🔍
Coordinated: 🔍
CVE: CVE-2012-0809 (🔍)
GCVE (CVE): GCVE-0-2012-0809
GCVE (VulDB): GCVE-100-4586
X-Force: 72781
SecurityFocus: 51719 - Todd Miller Sudo 'Sudo_Debug()' Path Resolution Local Privilege Escalation Vulnerability
Secunia: 47743 - sudo "sudo_debug()" Format String Privilege Escalation Vulnerability, Less Critical
OSVDB: 78659
SecurityTracker: 1026600 - Sudo Format String Bug Lets Local Users Gain Elevated Privileges
Vulnerability Center: 34405 - Todd Miller Sudo 1.80-1.8.3p1 sudo_debug() Allows Local Code Execution, Medium
scip Labs: https://www.scip.ch/en/?labs.20161013
See also: 🔍
Entry
Created: 02/21/2012 01:00Updated: 06/23/2024 15:34
Changes: 02/21/2012 01:00 (85), 06/16/2017 09:02 (13), 03/20/2021 16:27 (2), 06/23/2024 15:34 (15)
Complete: 🔍
Cache ID: 216:679:103
If you want to get best quality of vulnerability data, you may have to visit VulDB.
No comments yet. Languages: en.
Please log in to comment.