Page 1 of 3 123 LastLast
Results 1 to 10 of 25

Thread: sudo privilege escalation flaw?

  1. #1
    Join Date
    Sep 2007
    Beans
    18
    Distro
    Xubuntu 7.10 Gutsy Gibbon

    Exclamation sudo privilege escalation flaw?

    Is this just me, or is there a problem here?

    I log into a ubuntu server as sudo-permitted user 'alfred'. I try "touch /root/test" and it gives the expected permissions error. I "sudo touch /root/test" and it prompts for password, and after correct password is entered it touches the specified file as user root, again as expected.

    Then I log out of the ubuntu server, and log into it as user 'alfred' again, but from a different machine and source IP. As long as I have the same TTY, it seems, I still have root privileges WITHOUT PROMPT. I can "sudo touch /root/test" or anything else and it happily grants me root privs.

    Now in the most common scenario, login and sudo are achieved with the same typed password, but that's not always the case. And there's a reason that " ALL=NOPASSWD: ALL" is NOT the default setting in /etc/sudoers...

    j

  2. #2
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: sudo privilege escalation flaw?

    this is configured with the timestamp / time out variable.

    If you do not like this behavior change it. Take care when configuring sudo, especially on remote machines.

    timestamp_timeout
    Number of minutes that can elapse before sudo will ask for a passwd again. The default is 5. Set this to 0 to always prompt for a password. If set to a value less than 0 the user's timestamp will never expire. This can be used to allow users to create or delete their own timestamps via sudo -v and sudo -k respectively.
    http://www.sudo.ws/sudo/man/sudoers.html


    The alternate is to run sudo -k before you log out.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  3. #3
    Join Date
    May 2008
    Location
    Irvine, CA
    Beans
    189
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: sudo privilege escalation flaw?

    huh? anyway if you are using the same terminal, when you use sudo, it retains that authorized session for a bit. so lets say you ran sudo apt-get install something and then afterwards you tried sudo -s -H. It will only ask you for your password the first time you ran sudo. However, if you wait sometime and tried to run sudo again then it will prompt you for your password.

  4. #4
    Join Date
    Jan 2009
    Location
    Ventura, CA USA
    Beans
    22
    Distro
    Kubuntu 7.10 Gutsy Gibbon

    Re: sudo privilege escalation flaw?

    I am still learning, but I read that there is a hosts
    part of the specification in the sudoers file
    that currently says "(ALL)" which could be
    changed to allow only from certain hosts.

    Otherwise it means that you have elevated your
    rights until the timeout.

  5. #5
    Join Date
    Sep 2007
    Beans
    18
    Distro
    Xubuntu 7.10 Gutsy Gibbon

    Re: sudo privilege escalation flaw?

    Quote Originally Posted by pdtpatrick View Post
    huh? anyway if you are using the same terminal, when you use sudo, it retains that authorized session for a bit. so lets say you ran sudo apt-get install something and then afterwards you tried sudo -s -H. It will only ask you for your password the first time you ran sudo. However, if you wait sometime and tried to run sudo again then it will prompt you for your password.
    Yes, I was aware of that. What I wasn't aware of, and questioned the wisdom of, is that it lets one person run 'sudo apt-get install something' then a minute later a different remote user logged in with the same username and TTY can run 'sudo -s -H' without password challenge. Distinctly NOT the "same terminal" in most senses of the phrase.

    I'm just suggesting that it makes no sense that the temporary privileges (until the timeout expires, granted) can apply to a different, subsequent, login session from a different source IP. It seems that should be restricted to the PID of the shell as well as the userid and TTY, instead of just the latter two.

    As bodhi.zazen suggests, I'll be utilizing sudo -k in the future...

    j

  6. #6
    Join Date
    May 2008
    Location
    Irvine, CA
    Beans
    189
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: sudo privilege escalation flaw?

    I guess i didnt make myself clear .. that only works (as far as i know) for the same user.

    lets say im jdoe and im part of the sudoers group. I need to update something on my laptop. so i type sudo apt-get install something or sudo apt-get -y update

    and then i realize afterwards that there a several things i will need to install, so i decide to just become root (sudo -s -H).. since i had already ran sudo apt-get install something, it still has the authenticated session open, so once I (the same user, using the same terminal) types sudo -s -H, it will automatically make me root without asking for the password because i just recently authenticated.

    I dont know what the time limit is or yours is set to but it stops working after some time and you will have to reauthenticate.

    Hopefully this clears up what i was trying to say. I wasn't saying that once he put his password in, another totally new user can use that same terminal and get root access from the previous user's session.

  7. #7
    Join Date
    Sep 2007
    Beans
    18
    Distro
    Xubuntu 7.10 Gutsy Gibbon

    Re: sudo privilege escalation flaw?

    Quote Originally Posted by pdtpatrick View Post
    I guess i didnt make myself clear .. that only works (as far as i know) for the same user.

    lets say im jdoe and im part of the sudoers group. I need to update something on my laptop. so i type sudo apt-get install something or sudo apt-get -y update

    and then i realize afterwards that there a several things i will need to install, so i decide to just become root (sudo -s -H).. since i had already ran sudo apt-get install something, it still has the authenticated session open, so once I (the same user, using the same terminal) types sudo -s -H, it will automatically make me root without asking for the password because i just recently authenticated.

    I dont know what the time limit is or yours is set to but it stops working after some time and you will have to reauthenticate.

    Hopefully this clears up what i was trying to say. I wasn't saying that once he put his password in, another totally new user can use that same terminal and get root access from the previous user's session.
    But that is exactly what I'm seeing, though I presume you're referring to "userid" where I'm referring to physical users. The privilege escalation sans password applies to a DIFFERENT session if it has the same uid and TTY. Let me outline a scenario.

    As admin of a particular server I SSH to it as user 'abe', the only ordinary user account on the box, using a key to authenticate. I'm in as TTY pts/2. I 'sudo' something, then subsequently log out.

    One of our techs comes along behind me and logs into that same server via SSH from a different source IP, different workstation, also using user 'abe' and a keyfile for authentication - and ends up with TTY pts/2 from which I recently logged out. The tech can now utilize sudo even though he does NOT know the password, as long as he's there with the same username and TTY, within 5mins of when I entered the password. (which only I know)

    I realize there are a dozen ways (at least) to avoid this circumstance, and I'm not claiming it's a critical security flaw, but nevertheless I believe it IS a flaw if any transient security changes (IE, sudo without re-entering password) persist across different sessions.

    j

  8. #8
    Join Date
    Dec 2006
    Location
    Chicago
    Beans
    3,839

    Re: sudo privilege escalation flaw?

    I agree. If an attacker gains shell access as your admin user, he can wait for you to use sudo, then re-use your sudo timestamp (valid for 15 minutes by default) to gain root. If he compromised your admin account by somehow discovering your password, he already has root, but there are other ways to compromise an account without a password.

    Edit bodhizazen: This post was reviewed by the staff and it was felt that the script was inappropriate for these forums. We realize this is a security discussion and that there was no malicious intent.
    Last edited by bodhi.zazen; January 28th, 2009 at 03:06 AM.

  9. #9
    Join Date
    Sep 2007
    Beans
    18
    Distro
    Xubuntu 7.10 Gutsy Gibbon

    Re: sudo privilege escalation flaw?

    Given the script that was posted and purged, it seems this is in fact exploitable.

    So what should be done now?

    j

  10. #10
    Join Date
    Jul 2006
    Location
    Hertfordshire
    Beans
    454
    Distro
    Kubuntu 9.04 Jaunty Jackalope

    Re: sudo privilege escalation flaw?

    Quote Originally Posted by newkirk View Post
    Given the script that was posted and purged, it seems this is in fact exploitable.

    So what should be done now?

    j
    As bodhi.zazen explained, you can disable the timestamp behaviour in sudo if you want. I suggest you do this if you sometimes hand out your user account to others.

    See this related thread: http://ubuntuforums.org/showthread.php?t=1045209

Page 1 of 3 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •