本文为看雪论坛优秀文章
看雪论坛作者ID:暗香沉浮
编辑前言
调试方式
https://github.com/sudo-project/sudo/archive/SUDO_1_9_5p1.tar.gztar xf sudo-SUDO_1_9_5p1.tar.gzcd sudo-SUDO_1_9_5p1/mkdir buildcd build/../configure --enable-env-debugmake -jsudo make install
gdb --args sudoedit -s '\' `perl -e 'print "A" x 65536'`b ../../../plugins/sudoers/sudoers.c:964b ../../../plugins/sudoers/sudoers.c:978
漏洞成因
sudoedit -s '\' 112233445566/* Alloc and build up user_args. */for (size = 0, av = NewArgv + 1; *av; av++)size += strlen(*av) + 1;if (size == 0 || (user_args = malloc(size)) == NULL) {if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL)) {for (to = user_args, av = NewArgv + 1; (from = *av); av++) {while (*from) {if (from[0] == '\\' && !isspace((unsigned char)from[1])) // 关键逻辑!!!from++;*to++ = *from++;}*to++ = ' ';}*--to = '\0';}
NewArgv[0]: sudoeditNewArgv[1]: \NewArgv[2]: 112233445566
if (from[0] == '\\' && !isspace((unsigned char)from[1])) // 关键逻辑!!!from++;
*to++ = *from++;参考链接:
看雪ID:暗香沉浮
https://bbs.pediy.com/user-home-690974.htm
# 往期推荐
球分享
球点赞
球在看
点击“阅读原文”,了解更多!
文章来源: http://mp.weixin.qq.com/s?__biz=MjM5NTc2MDYxMw==&mid=2458380711&idx=1&sn=aef5ea72b0679e84196e2dd285d784dc&chksm=b180d92d86f7503bb9a75c62fcee83db7d6e38b95b96083d545f5c959d9ced856dff7c67d441#rd
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh