Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sudosrv_cmd - null pointer dereference #7777

Open
ross-bradley opened this issue Dec 19, 2024 · 0 comments
Open

sudosrv_cmd - null pointer dereference #7777

ross-bradley opened this issue Dec 19, 2024 · 0 comments

Comments

@ross-bradley
Copy link

Impact

Unprivileged users can crash the sssd_sudo process by sending a request before issuing the expected "hello" message. This results in a null pointer dereference.

Information

Whilst investigating some behaviour of the sssd suite, I accidentally seg faulted the sssd_sudo process. I hadn't read the protocol specs sufficiently well, and had sent a SSS_SUDO_GET_SUDORULES message immediately after connecting to the daemon. Debugging the seg fault showed this was the result of a null pointer dereference when retrieving the protocol version from the connection context. As the context had not been created due to the out-of-order message, a null pointer is dereferenced. This leads to a process crash.

This issue is abusable by unprivileged users as the permissions check that requires the caller to be privileged happens immediately after the null pointer dereference.

The process is started again very quickly, which mitigates the overall impact of unprivileged, local users being able to crash the process.

Recommendations

Perform null checks on the cli_protocol context object prior to dereferencing it.

In the event the check does not succeed, log the error and return an error code, as with the other checks in the function.

Affected location

File: https://github.com/SSSD/sssd/blob/master/src/responder/sudo/sudosrv_cmd.c
Method: sudosrv_cmd
Line number: 203

static int sudosrv_cmd(enum sss_sudo_type type, struct cli_ctx *cli_ctx)
{
...
    cmd_ctx->cli_ctx = cli_ctx;
    cmd_ctx->type = type;
    cmd_ctx->sudo_ctx = talloc_get_type(cli_ctx->rctx->pvt_ctx, struct sudo_ctx);
    if (cmd_ctx->sudo_ctx == NULL) {
        DEBUG(SSSDBG_FATAL_FAILURE, "sudo_ctx not set, killing connection!\n");
        return EFAULT;
    }

    pctx = talloc_get_type(cli_ctx->protocol_ctx, struct cli_protocol);
    protocol = pctx->cli_protocol_version->version; // RB: NULL POINTER DEREF OCCURS HERE

    /* the only intended client - suid binary 'sudo' */
    if (cli_ctx->priv != 1) {
      ...

Screenshot

image
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ross-bradley