Hosting Provided By

Re: Red Hat 9: free tickets

From: Stephen Samuel <samuel(at)bcgreen.com>
Date: Sun Jul 06 2003 - 15:30:34 EDT

ln -s /var/run/sudo/mylogin/0:root /tmp/likely_tmp_name

Then you wait for or cause some setuid progrem to attempt to (insecurely) write to /tmp/likely_tmp_name . When that happens, /var/run/sudo/mylogin/0:root is created, and pam_timestamp_check now allows you to run any helper application as if you'd typed in the root password...

Since these helper applicaitons tend to allow all sorts of nasty work (like creating a uid=0 user), you've now got a *serious* security violation on your hands.

The face that /var/run/sudo is rwx root only is no protection because the open is doen by an suid-root program, and the symlink in /tmp can be created by anybody.

Proof of concept:

as youreslf:
ln -s /var/run/sudo/$USER/unknown:root /tmp/oops

as root:
touch /tmp/oops

Do you need help?

as yourself: open the system-settings/users&groups utility from the desktop menu.

You can now create an account with uid=0

Now ANY exploit that can cause a setuid/root program to create an arbitrary file (regardless of content) can be used to create an arbitrary root user.

Finding such an exploit is left as an exercise for the user.

Carlos Villegas wrote:
> This way of attack seems useless to me. This is also used on RH 8.0
> systems, and for both 8.0 and 9 systems:
>
> drwx------ 4 root root 4096 Jun 27 08:43 /var/run/sudo
>
> Which means that if the packages are properly built (and will make sure
> that this directory gets this permissions if it existed before the
> rpm is installed), this attack will gain you nothing, since you need
> to be root to exploit it. If you can get root access to make this
> attack possible, then you might as well launch a shell instead.
>
> Carlos

Possible solution:
The suggested idea of putting some hard-to-fake information into the sudo file seems like a good one.

Something like:

tty=`tty`
userinfo="$USER/${tty#/dev/pts/}:root"

Do you need more help?

date=`date +%s`

echo $userinfo $date `{ echo $userinfo $date ; cat /etc/ssh/ssh_host_rsa_key ; } | md5sum` > /var/run/sudo/$userinfo

would create a reasonably high barrier to entry for any hacker trying to exploit this bug. It's also reasonably easy to verify:

datestamp=`awk '{ printf "%s", $2}' /var/run/sudo/$userinfo`

echo $userinfo $datestamp `{ echo $userinfo $datestamp ; cat /etc/ssh/ssh_host_rsa_key ; } | md5sum ` | diff - /var/run/sudo/$userinfo

You'd also want to compare $datestamp to the modtime on /var/run/sudo/$userinfo to make sure that they were within a couple of seconds of each other (to frustrate replay attacks)

-- 
Stephen Samuel +1(604)876-0426                samuel@bcgreen.com
		   
http://www.bcgreen.com/~samuel/
    Powerful committed communication. Transformation touching
        the jewel within each person and bring it to life.

Received on Tue Jul 8 19:15:50 2003

This message: [ Message body ]
Next message: Bernie Cosell: "How vulnerable is a 'Limited" account on XP?"
Previous message: Vladimir Katalov: "Adobe Acrobat and PDF security: no improvements for 2 years"
Maybe in reply to: Michal Zalewski: "Red Hat 9: free tickets"
Next in thread: Jon Hart: "Re: Red Hat 9: free tickets"
Reply: Jon Hart: "Re: Red Hat 9: free tickets"
Reply: Stephen Samuel: "Re: Red Hat 9: free tickets"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:40 EDT