lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20031119091713.R418-100000@iguana.reptiles.org>
From: gwen at reptiles.org (Gwendolynn ferch Elydyr)
Subject: Vulnerability in Terminal.app

On Wed, 19 Nov 2003 rixstep@...i.com wrote:
> There is a vulnerability in Apple's Terminal.app for OS X which affects
> Apple laptops.
>
> When running from the Terminal (within the Unix shell), the command
> sudo normally will not prompt for a password for five minutes after the
> password was last given.
>
> The vulnerability occurs when putting an Apple laptop to sleep after
> issuing a sudo command. Upon waking, the computer takes perhaps ten -
> twenty seconds to update the clock in the graphical interface, and sudo
> goes by this clock, and not the internal clock.

This sounds more like an issue with sudo than terminal.  Have you tested
to see if sudo displays the same behaviour on other machines?

> This has been tested on two Apple PowerBook G4 laptops and with
> operating systems OS X 10.2.3 Jaguar, OS X 10.2.7 Jaguar, and OS X 10.3
> Panther. The exploit works on all machines with all operating systems.

Isn't that a rather broad generalization from two machines and three
versions of the same operating system?

> There is a work-around for this vulnerability of course - actually
> several.
>
> 1. Never use sudo (not particularly practical).
>
> 2. Never put your box to sleep after a sudo unless at least 5 minutes
> (or whatever your interval is set to) have passed.
>
> 3. Issue either the 'sudo -k' command or the 'sudo -K' command before
> putting your box to sleep - make it a habit no matter if you remember
> issuing an ordinary sudo recently or not - 'just in case'.

4. Change your sudo settings to require a password each time you use it:

    timestamp_timeout
                Number of minutes that can elapse before sudo will ask for
                a passwd again.  The default is 5.  Set this to 0 to always
                prompt for a password.  If set to a value less than 0 the
                user's timestamp will never expire.  This can be used to
                allow users to create or delete their own timestamps via
                sudo -v and sudo -k respectively.

> The Code
> --------
> The weak link would seem to be in this snippet of the sudo source.

Have you also reported this to the authours of sudo[0]?

cheers!
[0] http://www.courtesan.com/sudo/
==========================================================================
"A cat spends her life conflicted between a deep, passionate and profound
desire for fish and an equally deep, passionate and profound desire to
avoid getting wet.  This is the defining metaphor of my life right now."

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ