Re: Vulnerability in Terminal.app

[Gwendolynn ferch Elydyr <gwen () reptiles org>]

On Wed, 19 Nov 2003 rixstep () kagi com wrote:
> There is a vulnerability in Apple's Terminal.app for OS X which affects
> Apple laptops.
>
> When running from the Terminal (within the Unix shell), the command
> sudo normally will not prompt for a password for five minutes after the
> password was last given.
>
> The vulnerability occurs when putting an Apple laptop to sleep after
> issuing a sudo command. Upon waking, the computer takes perhaps ten -
> twenty seconds to update the clock in the graphical interface, and sudo
> goes by this clock, and not the internal clock.

This sounds more like an issue with sudo than terminal.  Have you tested
to see if sudo displays the same behaviour on other machines?

> This has been tested on two Apple PowerBook G4 laptops and with
> operating systems OS X 10.2.3 Jaguar, OS X 10.2.7 Jaguar, and OS X 10.3
> Panther. The exploit works on all machines with all operating systems.

Isn't that a rather broad generalization from two machines and three
versions of the same operating system?

> There is a work-around for this vulnerability of course - actually
> several.
>
> 1. Never use sudo (not particularly practical).
>
> 2. Never put your box to sleep after a sudo unless at least 5 minutes
> (or whatever your interval is set to) have passed.
>
> 3. Issue either the 'sudo -k' command or the 'sudo -K' command before
> putting your box to sleep - make it a habit no matter if you remember
> issuing an ordinary sudo recently or not - 'just in case'.

4. Change your sudo settings to require a password each time you use it:

    timestamp_timeout
                Number of minutes that can elapse before sudo will ask for
                a passwd again.  The default is 5.  Set this to 0 to always
                prompt for a password.  If set to a value less than 0 the
                user's timestamp will never expire.  This can be used to
                allow users to create or delete their own timestamps via
                sudo -v and sudo -k respectively.

> The Code
> --------
> The weak link would seem to be in this snippet of the sudo source.

Have you also reported this to the authours of sudo[0]?

cheers!
[0] http://www.courtesan.com/sudo/
==========================================================================
"A cat spends her life conflicted between a deep, passionate and profound
desire for fish and an equally deep, passionate and profound desire to
avoid getting wet.  This is the defining metaphor of my life right now."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html