lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 06 Jul 2003 12:30:34 -0700
From: Stephen Samuel <samuel@...reen.com>
To: Carlos Villegas <villegas@...h.gatech.edu>
Cc: Michal Zalewski <lcamtuf@...ttot.org>, bugtraq@...urityfocus.com,
	vuln-dev@...urityfocus.com
Subject: Re: Red Hat 9: free tickets


The way it works is:

ln -s /var/run/sudo/mylogin/0:root /tmp/likely_tmp_name

Then you wait for or cause some setuid progrem to attempt to
(insecurely) write to /tmp/likely_tmp_name .   When that happens,
/var/run/sudo/mylogin/0:root is created, and pam_timestamp_check
now allows you to run any helper application as if you'd
typed in the root password...

  Since these helper applicaitons tend to allow all sorts
of nasty work (like creating a uid=0 user), you've now got a
*serious* security violation on your hands.

The face that /var/run/sudo is rwx root only is no protection
because the open is doen by an suid-root program, and the symlink
in /tmp can be created by anybody.

Proof of concept:

as youreslf:
ln -s /var/run/sudo/$USER/unknown:root /tmp/oops

as root:
touch /tmp/oops

as yourself: open the system-settings/users&groups utility from
the desktop menu.

You can now create an account with uid=0

Now ANY exploit that can cause a setuid/root program to create
an arbitrary file (regardless of content) can be used to create
an arbitrary root user.

Finding such an exploit is left as an exercise for the user.

Carlos Villegas wrote:
> This way of attack seems useless to me. This is also used on RH 8.0
> systems, and for both 8.0 and 9 systems:
> 
> drwx------    4 root     root         4096 Jun 27 08:43 /var/run/sudo
> 
> Which means that if the packages are properly built (and will make sure 
> that this directory gets this permissions if it existed before the
> rpm is installed), this attack will gain you nothing, since you need
> to be root to exploit it. If you can get root access to make this
> attack possible, then you might as well launch a shell instead.
> 
> Carlos

Possible solution:
The suggested idea of putting some hard-to-fake information
into the sudo file seems like a good one.

Something like:

tty=`tty`
userinfo="$USER/${tty#/dev/pts/}:root"

date=`date +%s`
     echo $userinfo $date `{ echo   $userinfo $date ; cat /etc/ssh/ssh_host_rsa_key ; } | md5sum` > /var/run/sudo/$userinfo

would create a reasonably high barrier to entry for any hacker
trying to exploit this bug. It's also reasonably  easy to verify:

datestamp=`awk '{ printf "%s", $2}'  /var/run/sudo/$userinfo`

echo $userinfo $datestamp  `{ echo $userinfo $datestamp ;  cat /etc/ssh/ssh_host_rsa_key ; } | md5sum ` | diff - /var/run/sudo/$userinfo

You'd also want to compare $datestamp to the modtime on
/var/run/sudo/$userinfo  to make sure that they were within a
couple of seconds of each other (to frustrate replay attacks)

-- 
Stephen Samuel +1(604)876-0426                samuel@...reen.com
		   http://www.bcgreen.com/~samuel/
    Powerful committed communication. Transformation touching
        the jewel within each person and bring it to life.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ