search

sudo-project / sudo

Utility to execute a command as another user
https://www.sudo.ws
Other
1.16k stars 208 forks source link

What's the impact of this change? #256

Closed BornThisWay closed 1 year ago

BornThisWay commented 1 year ago

Escape control characters in log messages and "sudoreplay -l" output.

https://github.com/sudo-project/sudo/commit/334daf92b31b79ce68ed75e2ee14fca265f029ca

millert commented 1 year ago

It depends on how you view the logs and whether or not your syslog server escapes control characters itself. If you were to simply cat the log files there is the possibility that the command or arguments could contain control characters that affect the user's terminal, or newline characters that make it appear that a different command was run.

BornThisWay commented 1 year ago

In fact, I wonder why they're CVEs. @millert https://nvd.nist.gov/vuln/detail/CVE-2023-28486 https://nvd.nist.gov/vuln/detail/CVE-2023-28487

millert commented 1 year ago

I didn't request those CVEs and I don't consider this to be a serious issue. Anyone can request a CVE, whether I think it is worth it or not...

BornThisWay commented 1 year ago

Okay, I see. Thank you so much.

BornThisWay commented 1 year ago

It depends on how you view the logs and whether or not your syslog server escapes control characters itself. If you were to simply cat the log files there is the possibility that the command or arguments could contain control characters that affect the user's terminal, or newline characters that make it appear that a different command was run.

I'm still wondering what valuable problems it solves.

I tried to compare the phenomenon before and after the modification. For example, run the following command:

[testuser@localhost root]$ sudo echo "hello
> \t
> \b
> \v
> \r
> c
> \c
> \010
> "
hello
\t
\b
\v
\r
c
\c
\010

The results are as follows, run the cat command, before:

Mar 21 15:03:42 : testuser : TTY=pts/2 ; PWD=/root ; USER=root ;
    COMMAND=/usr/bin/echo hello
\t
\b
\v
\r
c
\c
\010

after:

Mar 21 15:02:38 : testuser : TTY=pts/1 ; PWD=/root ; USER=root ;
    COMMAND=/usr/bin/echo
    hello#012\\t#012\\b#012\\v#012\\r#012c#012\\c#012\\010#012

1) Is that your "or newline characters that make it appear that a different command was run"? 2) Can you provide a scenario(cmd) to illustrate this situation -- "there is the possibility that the command or arguments could contain control characters that affect the user's terminal" ?

I have not found any scenarios that affect the terminal. My sudoers configuration is as follows:

testuser        ALL=(ALL)       ALL
Defaults logfile=/var/log/sudo.log
Defaults iolog_file=%{seq}/log
Defaults log_input
Defaults log_output

We look forward to your reply. Thank you. @millert