| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 27 Mar 2006 15:29:24 -0500 (EST) From: "Thomas M. Payerle" <payerle@...sics.umd.edu> To: Dave Korn <davek_throwaway@...mail.com> Cc: bugtraq@...urityfocus.com Subject: Re: Sudo tricks On Fri, 24 Mar 2006, Dave Korn wrote: > John Richard Moser wrote: > >> Here is a simple hack to break sudo and su to get free root. Add this >> to ~/.bashrc and fill in the following blanks: >> >> * ~/.root_kit/rk_su >> Your hacked su to give root on su --now-dammit >> * ~/.root_kit/silent_install_root_kit >> Your script to silently install rk_su over /bin/su and add SUID to >> it. > > [dk@...per dk]$ ls -la /bin/su > -rwsr-xr-x 1 root root 19132 Aug 29 2002 /bin/su > > So, in other words, all you need in order to get root access is a rootkit, > your shell script, and root access? Ummm... I don't get it. > > cheers, > DaveK I think the original author is attempting to show that breaking into the regular user account of a system administrator is equivalent to root access. I dislike his use of the term "breaking" with regard to su or sudo as the example is really not a problem with either su or sudo. (Especially in the case of the latter, as his "breaking" of sudo implies user has rights to execute any command via sudo, which is effectively a lame configuration of sudo). Assume the standard best practice that a system administrator has a "regular" account (uid != 0, and ideally no more privileged than anyone else's account, except for ability to su to root, etc.) which is used for day to day activities, and only becomes "root" (by direct console login, su, etc.) for tasks requiring root privs. I would agree that in all but the must security conscious environments (e.g. seriously paranoid system admins), gaining access to the regular account can be leveraged into root access by a skilled enough black hat. The "best practice" was never really meant as a serious security precaution (and I believe was recommended back in the days when security was an afterthought, the encrypted root password was available to all, etc.). If the administrator only becomes root by logging in directly as root on the console of the box in question, they might not be vulnerable. But short of that, there are a ton of ways to compromise root on a system if compromised the regular user account of a sysadmin, including: 1) if sysadmin compiles new software as himself then installs as root, installing a hacked compiler somewhere (writable by world or at least regular user) and changing path/setting alias so this is what the user uses, could be nasty. 2) modify the regular accounts browser to download all your open source projects from my collection of hacked versions (and modify md5sum, gpg, etc to validate my versions) 3) launching some code to silently collect all keystrokes by the user when the user logs in (since only catching your own keystrokes, should be doable). Then mail, etc. to the hacker. 4) email a fellow sysadmin explaining how you forgot the root password and ask if he could send it to you. There are too many attack vectors to think otherwise, but on the other hand these are generally not simple script-kiddie attacks. Plus require the compromise of the regular account. Tom Payerle Dept of Physics payerle@...sics.umd.edu University of Maryland (301) 405-6973 College Park, MD 20742-4111 Fax: (301) 314-9525
Powered by blists - more mailing lists