The way it works is: ln -s /var/run/sudo/mylogin/0:root /tmp/likely_tmp_name Then you wait for or cause some setuid progrem to attempt to (insecurely) write to /tmp/likely_tmp_name . When that happens, /var/run/sudo/mylogin/0:root is created, and pam_timestamp_check now allows you to run any helper application as if you'd typed in the root password... Since these helper applicaitons tend to allow all sorts of nasty work (like creating a uid=0 user), you've now got a *serious* security violation on your hands. The face that /var/run/sudo is rwx root only is no protection because the open is doen by an suid-root program, and the symlink in /tmp can be created by anybody. Proof of concept: as youreslf: ln -s /var/run/sudo/$USER/unknown:root /tmp/oops as root: touch /tmp/oops as yourself: open the system-settings/users&groups utility from the desktop menu. You can now create an account with uid=0 Now ANY exploit that can cause a setuid/root program to create an arbitrary file (regardless of content) can be used to create an arbitrary root user. Finding such an exploit is left as an exercise for the user. Carlos Villegas wrote: > This way of attack seems useless to me. This is also used on RH 8.0 > systems, and for both 8.0 and 9 systems: > > drwx------ 4 root root 4096 Jun 27 08:43 /var/run/sudo > > Which means that if the packages are properly built (and will make sure > that this directory gets this permissions if it existed before the > rpm is installed), this attack will gain you nothing, since you need > to be root to exploit it. If you can get root access to make this > attack possible, then you might as well launch a shell instead. > > Carlos Possible solution: The suggested idea of putting some hard-to-fake information into the sudo file seems like a good one. Something like: tty=`tty` userinfo="$USER/${tty#/dev/pts/}:root" date=`date +%s` echo $userinfo $date `{ echo $userinfo $date ; cat /etc/ssh/ssh_host_rsa_key ; } | md5sum` > /var/run/sudo/$userinfo would create a reasonably high barrier to entry for any hacker trying to exploit this bug. It's also reasonably easy to verify: datestamp=`awk '{ printf "%s", $2}' /var/run/sudo/$userinfo` echo $userinfo $datestamp `{ echo $userinfo $datestamp ; cat /etc/ssh/ssh_host_rsa_key ; } | md5sum ` | diff - /var/run/sudo/$userinfo You'd also want to compare $datestamp to the modtime on /var/run/sudo/$userinfo to make sure that they were within a couple of seconds of each other (to frustrate replay attacks) -- Stephen Samuel +1(604)876-0426 samuelat_private http://www.bcgreen.com/~samuel/ Powerful committed communication. Transformation touching the jewel within each person and bring it to life.
This archive was generated by hypermail 2b30 : Tue Jul 08 2003 - 15:59:31 PDT