Re: Sudo tricks

[Javor Ninov <drfrancky () securax org>]

If we have access to another user ~/ why installing root kit and not use
some trivial attack ? like path attack as example or clean exec ?
installing a root kit on monitored system will yell alarms. as i
previously said if we have access to another user ~/ we have full access
to all privileges that this user have.
the main issue here is how we get access to the user ~/

about the local virus ..
in the example given by the author we compromise the user A which have
sudo to root
if we have knowledge of the target system we can easily make automated
program that compromises other users accounts but .. /there is always
but/ in order to compromise other users we will need bigger privs than
the user that we attack or some system wide exploit /which is sort of
bigger privs/. then if we have those privs why bothering writing a
automated program and not compromise them at once ?

the only scenario that this is useful is if we have a user A which can
execute commands in the context of a user B which can execute commands
in context of root
in that case if we have a way to compromise user A's ~/ then we can make
some automated program that gathers information ,even have some
predefined logic about handling some commands enabled in /etc/sudoers,
 and then exploit it. but thats a very rare case.

p.s.
sudo to root without pass ... c'mon you have to be kidding me, right ?

Javor Ninov aka DrFrancky
drfrancky[shift + 2]securax.org
securitydot.net


Steven M. Christey wrote:
> > So, in other words, all you need in order to get root access is a
> > rootkit, your shell script, and root access? Ummm... I don't get it.
>
> I was also confused by this.  However, one guess is that by
> compromising an unprivileged account and creating command aliases to
> run trojaned su and sudo programs, the attacker can hopefully gain
> access to another account, then another, etc.  By using these sudo
> "privilege chains" the attacker might eventually obtain root access.
>
> This attack would be slightly virus-like in behavior, although local
> to the system.  And it might accomplish less, and more slowly, than if
> the attacker used some other means to determine the explicit su/sudo
> relationships and exploit them directly (e.g. sudo -l to list allowed
> commands?)  And this attack sounds like it's entirely dependent on
> whether or not such a chain even exists on the system.  Insert
> standard text about the likelihood of easier attack vectors here.
>
> Just a guess, though.  Interesting notion of a local-only "virus" to
> compromise users on a multi-user system, although it seems like just
> another way to exploit trust relationships once you've gained access
> to a local account.
>
> - Steve

Attachment: signature.asc
Description: OpenPGP digital signature