Vulnerability in Terminal.app

[rixstep () kagi com]

There is a vulnerability in Apple's Terminal.app for OS X which affects 
Apple laptops.

When running from the Terminal (within the Unix shell), the command 
sudo normally will not prompt for a password for five minutes after the 
password was last given.

The vulnerability occurs when putting an Apple laptop to sleep after 
issuing a sudo command. Upon waking, the computer takes perhaps ten - 
twenty seconds to update the clock in the graphical interface, and sudo 
goes by this clock, and not the internal clock.

Thus an intruder can open an Apple laptop and, given the right 
circumstances, take over a machine.

This has been tested on two Apple PowerBook G4 laptops and with 
operating systems OS X 10.2.3 Jaguar, OS X 10.2.7 Jaguar, and OS X 10.3 
Panther. The exploit works on all machines with all operating systems. 
Under certain circumstances, Terminal.app can be opened when the 
computer is woken up; at other times it proves necessary to have the 
Terminal window still on the desktop; in all circumstances, as sudo 
goes after the wrong clock, root access is possible.

This vulnerability was reported to Apple Product Security on 3 
November. On 14 November, after sending a reminder, Apple explained 
that they were working on the fix and testing it. Now that the two 
weeks are up and Apple has not yet released the fix, it's time to warn 
the public at large.

There is a work-around for this vulnerability of course - actually 
several.

1. Never use sudo (not particularly practical).

2. Never put your box to sleep after a sudo unless at least 5 minutes 
(or whatever your interval is set to) have passed.

3. Issue either the 'sudo -k' command or the 'sudo -K' command before 
putting your box to sleep - make it a habit no matter if you remember 
issuing an ordinary sudo recently or not - 'just in case'.

sudo -k
-------
The -k (kill) option to sudo invalidates the user's timestamp by 
setting the time on it to the epoch. The next time sudo is run a 
password will be required. This option does not require a password and 
was added to allow a user to revoke sudo permissions from a logout file.

sudo -K
-------
The -K (sure kill) option to sudo removes the user's timestamp 
entirely. Likewise, this option does not require a password.

Demonstration
-------------
Open an Apple laptop running OS X, such as a PowerBook G4. Issue a sudo 
command. Leave the Terminal window open and close the computer. Go away 
for perhaps a half hour. Open the laptop, hit arrow up and return.

The Code
--------
The weak link would seem to be in this snippet of the sudo source.

/*
 * If the file/dir exists, check its mtime.
 */
if (status == TS_OLD) {
  /* Negative timeouts only expire manually (sudo -k). */
  if (def_ival(I_TIMESTAMP_TIMEOUT) < 0 && sb.st_mtime != 0)
    status = TS_CURRENT;
  else {
 // -----------------
    now = time(NULL);
 // -----------------
    if (def_ival(I_TIMESTAMP_TIMEOUT) &&
        now - sb.st_mtime < 60 * def_ival(I_TIMESTAMP_TIMEOUT)) {
      /*
       * Check for bogus time on the stampfile.  The clock may
       * have been set back or someone could be trying to spoof us.
       */
      if (sb.st_mtime > now + 60 * def_ival(I_TIMESTAMP_TIMEOUT) * 2) {
        log_error(NO_EXIT,
            "timestamp too far in the future: %20.20s",
            4 + ctime(&sb.st_mtime));
        if (timestampfile)
          (void) unlink(timestampfile);
        else
          (void) rmdir(timestampdir);
        status = TS_MISSING;
      } else
        status = TS_CURRENT;
    }
  }
}

Rick Downes
Rixstep
http://rixstep.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html