Hello, I'm not sure how to debug this just yet. I attached to the process from another terminal but when I throw the SIGINT gdb catches it... which is annoying. How can I turn that off? Is this exploitable? [20:10:08] core@euclid ~/ [3]% sudo ls Password:(ctrl-c aka SIGINT) zsh: segmentation fault sudo ls euclid:~# gdb -q `which sudo` `pidof sudo` (no debugging symbols found).../root/948: No such file or directory. Attaching to program: /usr/bin/sudo, process 948 Reading symbols from /lib/libcrypt.so.1... (no debugging symbols found)...done. Loaded symbols for /lib/libcrypt.so.1 Reading symbols from /lib/libdl.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/libdl.so.2 Reading symbols from /lib/libpam.so.0...(no debugging symbols found)...done. Loaded symbols for /lib/libpam.so.0 Reading symbols from /lib/libc.so.6...(no debugging symbols found)...done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib/ld.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/ld.so.1 Reading symbols from /lib/libnss_compat.so.2...(no debugging symbols found)... done. Loaded symbols for /lib/libnss_compat.so.2 Reading symbols from /lib/libnsl.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/libnsl.so.1 Reading symbols from /lib/libnss_files.so.2...(no debugging symbols found)... done. Loaded symbols for /lib/libnss_files.so.2 Reading symbols from /lib/security/pam_unix.so... (no debugging symbols found)...done. Loaded symbols for /lib/security/pam_unix.so 0x0fee0c20 in read () from /lib/libc.so.6 (gdb) c Continuing. Program received signal SIGINT, Interrupt. 0x0fee0c20 in read () from /lib/libc.so.6 (gdb) bt #0 0x0fee0c20 in read () from /lib/libc.so.6 #1 0x10008088 in _init () #2 0x10007d84 in _init () #3 0x10008a94 in _init () #4 0x0fd46510 in _log_err () from /lib/security/pam_unix.so #5 0x0fd4786c in _unix_read_password () from /lib/security/pam_unix.so #6 0x0fd44130 in pam_sm_authenticate () from /lib/security/pam_unix.so #7 0x0ff6a6e4 in pam_fail_delay () from /lib/libpam.so.0 #8 0x0ff6aa04 in _pam_dispatch () from /lib/libpam.so.0 #9 0x0ff6c4d4 in pam_authenticate () from /lib/libpam.so.0 #10 0x10008778 in _init () #11 0x100083d4 in _init () #12 0x10001dc8 in _init () #13 0x10006460 in _init () #14 0x0fe31a30 in __libc_start_main () from /lib/libc.so.6 ... euclid:~# strace -ip`pidof sudo` [0fee0c20] --- SIGSTOP (Stopped (signal)) --- [0fee0c20] read(4, 0x7ffff258, 1) = ? ERESTARTSYS (To be restarted) [0fee0c20] --- SIGINT (Interrupt) --- [0fee0c30] write(4, "\n", 1) = 1 [0feee41c] ioctl(4, 0x802c7416, 0x7ffff238) = 0 [0fe472b4] rt_sigaction(SIGINT, {SIG_IGN}, NULL, 8) = 0 [0fe472b4] rt_sigaction(SIGHUP, {SIG_DFL}, NULL, 8) = 0 [0fe472b4] rt_sigaction(SIGQUIT, {SIG_IGN}, NULL, 8) = 0 [0fe472b4] rt_sigaction(SIGTERM, {SIG_DFL}, NULL, 8) = 0 [0fe472b4] rt_sigaction(SIGTSTP, {SIG_DFL}, NULL, 8) = 0 [0fe472b4] rt_sigaction(SIGTTIN, {SIG_DFL}, NULL, 8) = 0 [0fe472b4] rt_sigaction(SIGTTOU, {SIG_DFL}, NULL, 8) = 0 [0fee0c10] close(4) = 0 [0febde00] getpid() = 1028 [0fe45f28] kill(1028, SIGINT) = 0 [0fe45f28] --- SIGINT (Interrupt) --- [0fee7178] brk(0x10035000) = 0x10035000 [0feb13b4] time([1011410859]) = 1011410859 [0febde00] getpid() = 1028 [0fe472b4] rt_sigaction(SIGPIPE, {0xfeeaabc, [], 0}, {SIG_IGN}, 8) = 0 [0feeed00] socket(PF_UNIX, SOCK_DGRAM, 0) = 4 [0feee47c] fcntl64(0x4, 0x2, 0x1) = 0 [0feeea9c] connect(4, {sin_family=AF_UNIX, path="/dev/log"}, 16) = 0 [0feeec14] send(4, "<37>Jan 18 20:27:39 PAM_unix[102"..., 74, 0) = 74 [0fe472b4] rt_sigaction(SIGPIPE, {SIG_IGN}, NULL, 8) = 0 [0fee0c10] close(4) = 0 [0fee0b28] open("/etc/passwd", O_RDONLY) = 4 [0feee47c] fcntl64(0x4, 0x1, 0) = 0 [0feee47c] fcntl64(0x4, 0x2, 0x1) = 0 [0feee48c] fstat64(0x4, 0x7ffff4c8) = 0 [0feeadec] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x30015000 [0feee43c] _llseek(0x4, 0, 0, 0x7ffff538, 0x1) = 0 [0fee0c20] read(4, "root:x:0:0:root:/root:/bin/zsh\nd"..., 4096) = 1015 [0fee0c10] close(4) = 0 [0feeaf8c] munmap(0x30015000, 4096) = 0 [0fee0b28] open("/etc/shadow", O_RDONLY) = 4 [0feee47c] fcntl64(0x4, 0x1, 0) = 0 [0feee47c] fcntl64(0x4, 0x2, 0x1) = 0 [0feee48c] fstat64(0x4, 0x7ffff058) = 0 [0feeadec] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x30015000 [0feee43c] _llseek(0x4, 0, 0, 0x7ffff0c8, 0x1) = 0 [0fee0c20] read(4, "root:( censored ;):11514:0:99999"..., 4096) = 690 [0fee0c10] close(4) = 0 [0feeaf8c] munmap(0x30015000, 4096) = 0 [0fe93918] --- SIGSEGV (Segmentation fault) --- [20:10:11] core@euclid ~/ [4]% dpkg -l sudo Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name Version Description +++-==============-==============-============================================ ii sudo 1.6.4p1-1 Provides limited super user privileges to sp Seems like maybe this was something that was fixed? sudo (1.6.4p1-1) unstable; urgency=high * new upstream version, with fix for segfaulting problem in 1.6.4 -- Bdale Garbee <bdaleat_private> Mon, 14 Jan 2002 20:09:46 -0700 sudo (1.6.4-1) unstable; urgency=high * new upstream version, includes an important security fix, closes: #127576 -- Bdale Garbee <bdaleat_private> Mon, 14 Jan 2002 09:35:48 -0700 Best Regards, Charles 'core' Stevenson
This archive was generated by hypermail 2b30 : Sun Jan 20 2002 - 19:55:52 PST