[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.61.0603271504080.23026@pascal.physics.umd.edu>
Date: Mon, 27 Mar 2006 15:29:24 -0500 (EST)
From: "Thomas M. Payerle" <payerle@...sics.umd.edu>
To: Dave Korn <davek_throwaway@...mail.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Sudo tricks
On Fri, 24 Mar 2006, Dave Korn wrote:
> John Richard Moser wrote:
>
>> Here is a simple hack to break sudo and su to get free root. Add this
>> to ~/.bashrc and fill in the following blanks:
>>
>> * ~/.root_kit/rk_su
>> Your hacked su to give root on su --now-dammit
>> * ~/.root_kit/silent_install_root_kit
>> Your script to silently install rk_su over /bin/su and add SUID to
>> it.
>
> [dk@...per dk]$ ls -la /bin/su
> -rwsr-xr-x 1 root root 19132 Aug 29 2002 /bin/su
>
> So, in other words, all you need in order to get root access is a rootkit,
> your shell script, and root access? Ummm... I don't get it.
>
> cheers,
> DaveK
I think the original author is attempting to show that breaking into the
regular user account of a system administrator is equivalent to root access.
I dislike his use of the term "breaking" with regard to su or sudo as the
example is really not a problem with either su or sudo. (Especially in the
case of the latter, as his "breaking" of sudo implies user has rights to execute
any command via sudo, which is effectively a lame configuration of sudo).
Assume the standard best practice that a system administrator has a "regular"
account (uid != 0, and ideally no more privileged than anyone else's account,
except for ability to su to root, etc.) which is used for day to day activities,
and only becomes "root" (by direct console login, su, etc.) for tasks requiring
root privs.
I would agree that in all but the must security conscious environments (e.g.
seriously paranoid system admins), gaining access to the regular account can
be leveraged into root access by a skilled enough black hat. The "best
practice" was never really meant as a serious security precaution (and I
believe was recommended back in the days when security was an afterthought,
the encrypted root password was available to all, etc.).
If the administrator only becomes root by logging in directly as root on the
console of the box in question, they might not be vulnerable. But short of
that, there are a ton of ways to compromise root on a system if compromised
the regular user account of a sysadmin, including:
1) if sysadmin compiles new software as himself then installs as root,
installing a hacked compiler somewhere (writable by world or at least regular
user) and changing path/setting alias so this is what the user uses, could
be nasty.
2) modify the regular accounts browser to download all
your open source projects from my collection of hacked versions (and modify
md5sum, gpg, etc to validate my versions)
3) launching some code to silently collect all keystrokes by the user when
the user logs in (since only catching your own keystrokes, should be doable).
Then mail, etc. to the hacker.
4) email a fellow sysadmin explaining how you forgot the root password and ask
if he could send it to you.
There are too many attack vectors to think otherwise, but on the other hand
these are generally not simple script-kiddie attacks. Plus require the
compromise of the regular account.
Tom Payerle
Dept of Physics payerle@...sics.umd.edu
University of Maryland (301) 405-6973
College Park, MD 20742-4111 Fax: (301) 314-9525
Powered by blists - more mailing lists