Sudo Heap Corruption Bug

Release Date:

February 22, 2001


A single-byte heap corruption bug exists in sudo versions 1.6.3p5 and below. Exploitation of the bug requires in-depth knowledge of the system malloc internals. The bug has been exploited on Linux and can allow an attacker to gain root privileges. No known exploits exist for other operating systems but this should not be considered a Linux-only problem.

Sudo versions affected:

1.3.0 - 1.6.3p5 (inclusive)


When given a sufficiently long command line argument, sudo will write a single NUL byte past the end of a buffer allocated via malloc(). Based on the length of the command line argument it is possible to place the NUL byte at a location of the attacker's choice. This has been exploited on Linux to grant an attacker root privileges.

For more information, see the Vudo article in Phrack 57.