CVE-2012-0809

sudo 1.8.0-1.8.3p1 - Local Use-After-Free via Format String in sudo_debug

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2012-0809. PoCs published by aeon, joernchen.

AI-analyzed exploit summary This exploit leverages a format string vulnerability in sudo (CVE-2012-0809) combined with a glibc FORTIFY_SOURCE bypass (CVE-2012-0864) to achieve local privilege escalation. It writes a backdoor to disk, compiles it, and executes it with root privileges via environment variable manipulation.

Description

Format string vulnerability in the sudo_debug function in Sudo 1.8.0 through 1.8.3p1 allows local users to execute arbitrary code via format string sequences in the program name for sudo.

Exploits (2)

exploitdb WORKING POC VERIFIED
by aeon · clocallinux
https://www.exploit-db.com/exploits/25134

This exploit leverages a format string vulnerability in sudo (CVE-2012-0809) combined with a glibc FORTIFY_SOURCE bypass (CVE-2012-0864) to achieve local privilege escalation. It writes a backdoor to disk, compiles it, and executes it with root privileges via environment variable manipulation.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: sudo v1.8.0-1.8.3p1
No auth needed
Prerequisites: Vulnerable sudo version (1.8.0-1.8.3p1) · Vulnerable glibc version (2.14.90) · Write permissions in the target directory
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by joernchen · textdoslinux
https://www.exploit-db.com/exploits/18436

This advisory describes a format string vulnerability in sudo versions 1.8.0 to 1.8.3p1, where user-controlled input via argv[0] is passed to vfprintf without proper sanitization. Exploitation can lead to privilege escalation by overwriting critical function calls like setuid().

Classification
Writeup 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: sudo 1.8.0 - 1.8.3p1
No auth needed
Prerequisites: Access to a system with vulnerable sudo version · Ability to execute sudo with a crafted argv[0]
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-201203-06.xml
Third Party Advisory mailing-list x_refsource_fulldisc
http://archives.neohapsis.com/archives/fulldisclosure/2012-01/0591.html
Exploit, Vendor Advisory x_refsource_confirm
http://www.sudo.ws/sudo/alerts/sudo_debug.html

Scores

EPSS 0.0297
EPSS Percentile 85.4%

Details

CWE
CWE-134
Status published
Products (7)
todd_miller/sudo 1.8.0
todd_miller/sudo 1.8.1
todd_miller/sudo 1.8.1p1
todd_miller/sudo 1.8.1p2
todd_miller/sudo 1.8.2
todd_miller/sudo 1.8.3
todd_miller/sudo 1.8.3p1
Published Feb 01, 2012
Tracked Since Feb 18, 2026