From: Stephen Samuel (samuelbcgreen.com)
Date: Sun Jul 06 2003 - 14:30:34 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The way it works is:

ln -s /var/run/sudo/mylogin/0:root /tmp/likely_tmp_name

Then you wait for or cause some setuid progrem to attempt to
(insecurely) write to /tmp/likely_tmp_name . When that happens,
/var/run/sudo/mylogin/0:root is created, and pam_timestamp_check
now allows you to run any helper application as if you'd
typed in the root password...

  Since these helper applicaitons tend to allow all sorts
of nasty work (like creating a uid=0 user), you've now got a
*serious* security violation on your hands.

The face that /var/run/sudo is rwx root only is no protection
because the open is doen by an suid-root program, and the symlink
in /tmp can be created by anybody.

Proof of concept:

as youreslf:
ln -s /var/run/sudo/$USER/unknown:root /tmp/oops

as root:
touch /tmp/oops

as yourself: open the system-settings/users&groups utility from
the desktop menu.

You can now create an account with uid=0

Now ANY exploit that can cause a setuid/root program to create
an arbitrary file (regardless of content) can be used to create
an arbitrary root user.

Finding such an exploit is left as an exercise for the user.

Carlos Villegas wrote:
> This way of attack seems useless to me. This is also used on RH 8.0
> systems, and for both 8.0 and 9 systems:
>
> drwx------ 4 root root 4096 Jun 27 08:43 /var/run/sudo
>
> Which means that if the packages are properly built (and will make sure
> that this directory gets this permissions if it existed before the
> rpm is installed), this attack will gain you nothing, since you need
> to be root to exploit it. If you can get root access to make this
> attack possible, then you might as well launch a shell instead.
>
> Carlos

Possible solution:
The suggested idea of putting some hard-to-fake information
into the sudo file seems like a good one.

Something like:

tty=`tty`
userinfo="$USER/${tty#/dev/pts/}:root"

date=`date +%s`
     echo $userinfo $date `{ echo $userinfo $date ; cat /etc/ssh/ssh_host_rsa_key ; } | md5sum` > /var/run/sudo/$userinfo

would create a reasonably high barrier to entry for any hacker
trying to exploit this bug. It's also reasonably easy to verify:

datestamp=`awk '{ printf "%s", $2}' /var/run/sudo/$userinfo`

echo $userinfo $datestamp `{ echo $userinfo $datestamp ; cat /etc/ssh/ssh_host_rsa_key ; } | md5sum ` | diff - /var/run/sudo/$userinfo

You'd also want to compare $datestamp to the modtime on
/var/run/sudo/$userinfo to make sure that they were within a
couple of seconds of each other (to frustrate replay attacks)

--
Stephen Samuel +1(604)876-0426 samuelbcgreen.com
                   http://www.bcgreen.com/~samuel/
    Powerful committed communication. Transformation touching
        the jewel within each person and bring it to life.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]