oss-sec mailing list archives
Re: race condition checking digests/checksums in sudoers
From: cve-assign () mitre org
Date: Tue, 10 Nov 2015 15:38:30 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
http://www.sudo.ws/man/1.8.15/sudoers.man.html
If a command name is prefixed with a Digest_Spec, the command will only match successfully if it can be verified using the specified SHA-2 digest. This may be useful in situations where the user invoking sudo has write access to the command or its parent directory.
This results in a race condition if the digest functionality is used as suggested (in fact, the rules are matched before the user is prompted for a password, so you have quite some time to replace the binary from underneath sudo).
Our perspective is that the documentation is directly misleading, and the product actually does not have a security feature for which there's a reasonable expectation. We do assign a CVE ID in this type of situation, and can do that later this week unless there's other discussion. As far as we know, the Digest_Spec feature can be useful if the user invoking sudo doesn't have write access to the program file, but a second (and potentially untrusted) user does have write access to the program file. In the envisioned scenario, the second user is not allowed to use sudo, the second user has no way to predict when anyone else may use sudo, and the second user cannot use their write access often. Thus, if the second user attempts a file-replacement attack, the attack will almost certainly occur at an ineffective instant of time, and the Digest_Spec feature will successfully prevent the attacker's desired outcome. However, the documentation is specifically about "the user invoking sudo has write access." A reasonably experienced person reading the documentation could easily conclude that sudo and the kernel cooperate to ensure that the executed code is always exactly the same as the code with the specified SHA-2 digest value. This person can't be expected to guess that a race condition is considered OK because a non-racy approach may be hard to implement. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWQlUYAAoJEL54rhJi8gl58pYP/iXOFLyMmGwHT8nhSCL9FoEK +xP6MCf2vQjpjpAhi2kejNtji//qPGXCwDAAuBoXW9YRC30aGhBzuZqOQZxMFMqv 01x3m0Fm4A2cMyWA67VC50481WsiYGYHob8uld8h26VBY7VL9+s/TaUekMdKkTyq yiczwH2kMu8QiHGjBlw5yyeEhSc+6V6gK7+YjX6nWCEQlvqjaorlOiUAfmYLfv5l FPgj+WTssHR+gKaVmSuw+WqG4w6ukH9AVoOiMwej08mqAhttQmfcIZrmCNItUq8H /t5vvbRYXpQz+KwwaQ0ENsMQDsquO9XnzGdHSmvrC0jbSRdNWCpsONal7DF8OVqi 8YzM24nulX6wWxgd2dAI/IBVvMO0A+SEbApikBrJPEdW9gZ/+SVG+nLethyirD22 xbBkP1PE49vfHuZaOCwR7D4A5oGl+wymbTg8D9ihD9Vq+9+Nedr3FrPZ9wTEMMha +X+yRu/UeDHqGN3mkwCXNT2vKTLa/+cYi+opbRt7KVLVFB0XsYJrpHrKgvntRRTB eo+HTmxX0ISWkWOTOeUy5zsDm6XcU/YYBylZpgkKJy3e8xcRKK8uUi0my25m3EaX Akv0Zn5yTIgSz1+mEKFSFnhtX9KcAsExs0xwSu7qxrw8shCVoln4Y0JKWHPgfONw XXNM7lVxJwW2dgvND1gE =EaN/ -----END PGP SIGNATURE-----
Current thread:
- race condition checking digests/checksums in sudoers Alyssa Milburn (Nov 09)
- Re: race condition checking digests/checksums in sudoers cve-assign (Nov 10)
- Re: race condition checking digests/checksums in sudoers cve-assign (Nov 18)
- Re: race condition checking digests/checksums in sudoers Tomas Hoger (Dec 01)
- Re: race condition checking digests/checksums in sudoers cve-assign (Nov 10)