kdesudo crashed with SIGSEGV in strlen()

StacktraceTop:strlen () from /lib/tls/i686/cmov/libc.so.6
vfprintf () from /lib/tls/i686/cmov/libc.so.6
__fprintf_chk () from /lib/tls/i686/cmov/libc.so.6
KdeSudo::parseOutput (this=0xbf9bf150) at /usr/include/bits/stdio2.h:99
KdeSudo::qt_metacall (this=0xbf9bf150, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0xbf9be928)

This bug is easy to reproduce, for example with the command line " kdesudo echo "%s" ".
As far as i can see the reason is the fprintf statement in KdeSudo::parseOutput which falsely tries to interpret the parameters in the string.

This is a formating string vulnerability. It is almost certainly exploitable. I have attached the trivial patch.

This is certainly a bug, but kdesudo is just a wrapper around sudo. While it does expand the arguments incorrectly, this isn't exploitable short of tricking someone to run kdesudo on a huge weird-looking commandline that would just fail anyway since glibc would block any use of %n. Unflagged as security.

I also got a crash today, when I tried to run a backup utility named 'Back in Time'. I think it looks same as this bug.

$ kdesudo -v
Qt: 4.4.3
KDE: 4.2.2 (KDE 4.2.2)
KdeSudo: 3.1

Application: KdeSudo (kdesudo), signal SIGSEGV
[Current thread is 0 (LWP 24096)]

Thread 2 (Thread 0xb5098b90 (LWP 24097)):
#0 0xb7fed430 in __kernel_vsyscall ()
#1 0xb6d73df1 in select () from /lib/tls/i686/cmov/libc.so.6
#2 0xb7c8e150 in ?? () from /usr/lib/libQtCore.so.4
#3 0xb7bbe6ae in ?? () from /usr/lib/libQtCore.so.4
#4 0xb69ab50f in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#5 0xb6d7ba0e in clone () from /lib/tls/i686/cmov/libc.so.6

Thread 1 (Thread 0xb663c6c0 (LWP 24096)):
[KCrash Handler]
#6 0xb6d17d88 in wcslen () from /lib/tls/i686/cmov/libc.so.6
#7 0xb6d190ad in wcsrtombs () from /lib/tls/i686/cmov/libc.so.6
#8 0xb6cddff1 in vfprintf () from /lib/tls/i686/cmov/libc.so.6
#9 0xb6d922d7 in __fprintf_chk () from /lib/tls/i686/cmov/libc.so.6
#10 0x0804f4ce in _start ()

Thanks a lot...

I submitted a patch for this bug three months ago, and it continues to affect other users. If someone will add me to the Kubuntu KdeSudo Development Team I will add it myself. Otherwise, could someone else apply me patch? Also, Kees Cook is incorrect about %n, which continues to work for me.

The issue isn't if %n works, but if %n is in writable memory:

$ kdesudo echo "%x%x%n"
*** %n in writable segment detected ***

Test programs to see this need to have writable memory, and be compiled -O2 (the default for kdesudo).

It's also unimportant because there are no privileges yet when the expansion occurs. The output is being run as root, that's true, but again, the user must know the root password to have this happen, so there's no escalation of existing privileges. The case for user-assisted attacks is very unlikely. (Though perhaps I'm just being uncreative when it comes to %-expansions.)

This is a bug, and needs to be fixed, though. I'll go poke the maintainer again.

This bug was fixed in the package kdesudo - 3.4.2-0ubuntu1

---------------
kdesudo (3.4.2-0ubuntu1) karmic; urgency=low

  [ Anthony Mercatante ]
  * New upstream release:
    - Closes LP: #281877
    - Closes LP: #258799
    - Closes Debian #525292
    - Closes LP: #365956

  [ Florian Reinhard ]
  * Closes LP: #285084

 -- Florian Reinhard <email address hidden> Thu, 25 Jun 2009 23:02:47 +0200