HomeBlogsKenton's blog

Thoughts on "sudo" Privilege Escalation

Wed, 09/01/2010 - 23:07 — Kenton

I have one of those "this doesn't seem quite right" feelings about the way "sudo" escalates privileges in Linux. In Ubuntu, for instance, a user may preface a command with "sudo" in order to run a command as "root" (provided they can give the correct password). If the correct password is given, the user will be able to continue to use the "sudo" command in that tty (window) without a password until a length of time has passed without using it. The actual process that happens when you use a "sudo" command is as follows:

1 The user enters "sudo " in a tty
2) The OS will check for a file at /var/run/sudo/{username}/{tty}
3) If the file exists, it will check the timestamp on the file. If the modified timestamp is within the expiring limit, no password will be needed, and the modified timestamp is updated.
4) If the file does not exist or the modified timestamp is expired, it will ask for a password.
5) When the valid password is given, it will create the file (or update the modified timestamp)
6) The command will now be run with "root" privileges.

The files in /var/run/sudo/{username} all have permissions that only allowing root to read and write to them, so this should theoretically be safe. However, something to note is that the only important attribute of this file is the modified timestamp. Whether the file is created/modified by a simple touch command, or by simply piping random output to the file, sudo access will be granted to the user/tty corresponding to that particular file.

I see two scenarios on how this could be attacked by a non-privileged user:
a) The user runs a setuid binary that allows an output/log file to be specified without dropping privileges.
b) A race-condition can be set up where a binary writes to a fixed location, but the user, perhaps through a race-condition, creates a symlink from the fixed location to /var/run/sudo/{username}/{tty}.

In both cases and no matter what the output from the program was, it would update the timestamp on that particular file, and allow that user to run sudo commands without requiring the root password.

I think a simple fix to both of these issues would be to require a specific modification of the file at that location instead of a simple timestamp update. If nonsensical writing to the file did not grant access, both of these problems would go away. Thoughts?

Happy hunting :-)