Full Disclosure mailing list archives
Re: Vulnerability in Terminal.app
From: Gwendolynn ferch Elydyr <gwen () reptiles org>
Date: Wed, 19 Nov 2003 09:31:30 -0500 (EST)
On Wed, 19 Nov 2003 rixstep () kagi com wrote:
There is a vulnerability in Apple's Terminal.app for OS X which affects Apple laptops. When running from the Terminal (within the Unix shell), the command sudo normally will not prompt for a password for five minutes after the password was last given. The vulnerability occurs when putting an Apple laptop to sleep after issuing a sudo command. Upon waking, the computer takes perhaps ten - twenty seconds to update the clock in the graphical interface, and sudo goes by this clock, and not the internal clock.
This sounds more like an issue with sudo than terminal. Have you tested to see if sudo displays the same behaviour on other machines?
This has been tested on two Apple PowerBook G4 laptops and with operating systems OS X 10.2.3 Jaguar, OS X 10.2.7 Jaguar, and OS X 10.3 Panther. The exploit works on all machines with all operating systems.
Isn't that a rather broad generalization from two machines and three versions of the same operating system?
There is a work-around for this vulnerability of course - actually several. 1. Never use sudo (not particularly practical). 2. Never put your box to sleep after a sudo unless at least 5 minutes (or whatever your interval is set to) have passed. 3. Issue either the 'sudo -k' command or the 'sudo -K' command before putting your box to sleep - make it a habit no matter if you remember issuing an ordinary sudo recently or not - 'just in case'.
4. Change your sudo settings to require a password each time you use it: timestamp_timeout Number of minutes that can elapse before sudo will ask for a passwd again. The default is 5. Set this to 0 to always prompt for a password. If set to a value less than 0 the user's timestamp will never expire. This can be used to allow users to create or delete their own timestamps via sudo -v and sudo -k respectively.
The Code -------- The weak link would seem to be in this snippet of the sudo source.
Have you also reported this to the authours of sudo[0]? cheers! [0] http://www.courtesan.com/sudo/ ========================================================================== "A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Vulnerability in Terminal.app rixstep (Nov 19)
- Re: Vulnerability in Terminal.app Gwendolynn ferch Elydyr (Nov 19)
- Re: Vulnerability in Terminal.app rixstep (Nov 19)
- Re: Vulnerability in Terminal.app Charles E. Hill (Nov 19)
- <Possible follow-ups>
- Re: Vulnerability in Terminal.app hays (Nov 19)
- Re: Vulnerability in Terminal.app Matt Burnett (Nov 19)
- Re: Vulnerability in Terminal.app Timo Schoeler (Nov 19)
- Re: Vulnerability in Terminal.app Matt Burnett (Nov 19)
- Re: Vulnerability in Terminal.app Gwendolynn ferch Elydyr (Nov 19)