Bugtraq mailing list archives
Re: Sudo tricks
From: "Thomas M. Payerle" <payerle () physics umd edu>
Date: Mon, 27 Mar 2006 15:29:24 -0500 (EST)
On Fri, 24 Mar 2006, Dave Korn wrote:
John Richard Moser wrote:Here is a simple hack to break sudo and su to get free root. Add this to ~/.bashrc and fill in the following blanks: * ~/.root_kit/rk_su Your hacked su to give root on su --now-dammit * ~/.root_kit/silent_install_root_kit Your script to silently install rk_su over /bin/su and add SUID to it.[dk@pepper dk]$ ls -la /bin/su -rwsr-xr-x 1 root root 19132 Aug 29 2002 /bin/su So, in other words, all you need in order to get root access is a rootkit, your shell script, and root access? Ummm... I don't get it. cheers, DaveK
I think the original author is attempting to show that breaking into the regular user account of a system administrator is equivalent to root access. I dislike his use of the term "breaking" with regard to su or sudo as the example is really not a problem with either su or sudo. (Especially in the case of the latter, as his "breaking" of sudo implies user has rights to execute any command via sudo, which is effectively a lame configuration of sudo).Assume the standard best practice that a system administrator has a "regular" account (uid != 0, and ideally no more privileged than anyone else's account, except for ability to su to root, etc.) which is used for day to day activities,
and only becomes "root" (by direct console login, su, etc.) for tasks requiring root privs.I would agree that in all but the must security conscious environments (e.g. seriously paranoid system admins), gaining access to the regular account can
be leveraged into root access by a skilled enough black hat. The "bestpractice" was never really meant as a serious security precaution (and I believe was recommended back in the days when security was an afterthought,
the encrypted root password was available to all, etc.). If the administrator only becomes root by logging in directly as root on the console of the box in question, they might not be vulnerable. But short of that, there are a ton of ways to compromise root on a system if compromised the regular user account of a sysadmin, including:1) if sysadmin compiles new software as himself then installs as root, installing a hacked compiler somewhere (writable by world or at least regular
user) and changing path/setting alias so this is what the user uses, could be nasty. 2) modify the regular accounts browser to download all your open source projects from my collection of hacked versions (and modify md5sum, gpg, etc to validate my versions)3) launching some code to silently collect all keystrokes by the user when the user logs in (since only catching your own keystrokes, should be doable).
Then mail, etc. to the hacker. 4) email a fellow sysadmin explaining how you forgot the root password and ask if he could send it to you. There are too many attack vectors to think otherwise, but on the other hand these are generally not simple script-kiddie attacks. Plus require the compromise of the regular account.Tom Payerle Dept of Physics payerle () physics umd edu
University of Maryland (301) 405-6973 College Park, MD 20742-4111 Fax: (301) 314-9525
Current thread:
- Sudo tricks John Richard Moser (Mar 23)
- Re: Sudo tricks Dave Korn (Mar 25)
- Re: Sudo tricks Kyle Wheeler (Mar 27)
- Re: Sudo tricks Thomas M. Payerle (Mar 28)
- Re: Sudo tricks Krzysztof Halasa (Mar 29)
- RE: Sudo tricks Burton Strauss (Mar 31)
- <Possible follow-ups>
- Re: Sudo tricks Steven M. Christey (Mar 28)
- Re: Sudo tricks Javor Ninov (Mar 31)
- Re: Sudo tricks Dave Korn (Mar 25)