getting the root password through .bashrc and a fakesudo

Reported by Adna rim on 2007-07-20
256
Affects Status Importance Assigned to Milestone
Ubuntu
Undecided
Kees Cook

Bug Description

First because many people didn't understood this at all, read this forums post relating this hole where it should be made clear: http://ubuntuforums.org/showthread.php?t=504740

a short summary:

It's pretty simple to raise from user to root lvl, if you have once access to a system. There's no need for any local root exploit for Ubuntu anymore because of the .bashrc file in the homedir. The file is writeble from the useraccount, so you need just to append alias sudo=pwdstealingfakesudo to it and the next time the user will use sudo he's dead.

One could also simple social engenier a new ubuntu- or linux-user (maybe also an ignorant older one..) this remotly by telling one to execute a "harmless" tool/script (and also if not tested I'm pretty sure this can also be triggered by userlevel applications which support plugins!) and telling him he hasn't to be afraid because he just should execute it with user priviledges and not root and he's dead too. Through the Ubuntu security scheme many are thinking that as long as you don't work as root there can't happen any great harm.

Also a virus could very easily make use of this and making a ubuntu virus as harmfull as a windows one!

This is in my eyes a serious privilidge escalation

I'm asking myself why this file is by default writeable by the user on Ubuntu Feisty Fawn Desktop-System, if you take in mind how often a normal user needs this file and how dangerous this is as I explained above.

darkog (darko-gavrilovic) wrote :

Is it an Ubuntu security problem or how sudo is implemented?

C de-Avillez (hggdh2) wrote :

I am not sure I follow the reasoning (and yes, I read the forum thread). I do not see this as a critical issue.

1. this is not limited to changing ~/.bashrc. There are many other avenues for infiltration via a trojan if the user installs untrusted applications.
2. why would making .bashrc read-only solve the issue? If I am running my trojan under the user's id, I can simply make it writable again & then write what I want in there.
3. This depends on having either
   (a) access to a logged-in account, or
   (b) install/build of untrusted code/applications.

On (a), if an user left the system unlocked, then there is absolutely nothing Ubuntu -- or any other OS -- can do. There is a limit on how far we can protect against user laxness.

On (b), If you are installing/building untrusted applications (from a strict security point-of-view) you have already compromised your system.

I do not see this as either a Ubuntu security issue, or a problem with sudo, but I am leaving the final decision to the security folks here.

Kees Cook (kees) wrote :

Thanks for your report! As hggdh mentions, this is true of any system. Even if sudo and bashrc weren't used, aliases and other tricks could be built to hijack passwords. If you have some specific suggestions for areas of improvement, please open new bug reports for those fixes.

Adna rim (adnarim) wrote :

Hi Kees Cook, have you read the forum post and not only hggdh's statement? Then you would have read what I wrote about exploiting alias and why this is many times harder and about "other tricks": What do you mean with that and please stop talking about userlvl trojans or keylogger because as I pointed very clearly out int the forum it's not possible to steal root-pwd with them. No userlvl keylogger can sniff the sudo password!

And just because other distros have the same bug, doesn't mean it is good, does it?

And also this stupid example with physical access...I'm really sick that I even mentioned it but never thought people would understand it so mindless....

The point is that with this bug, tell me any!! reason why someone shouldn't work as root the whole time like windows users do? Please any reason because with this bug there's no difference. A virus can use this and become as harmfull as any windows one. A hacker can exploit a userlvl application and get root without any need of a local root exploit. Really with this bug you don't have to tell people not to work as root because there's no frontier between root and user account.

But I'm outta here, if even the ubuntu staff doesn't care why should I, but dare you to tell you haven't been warned because I know for exaclty that this is activly being abused to root linux boxes! I didn't pulled that out of my magical hat...

C de-Avillez (hggdh2) wrote :

@Adna:

"Then you would have read what I wrote about exploiting alias and why this is many times harder and about 'other tricks'".

We talked about exploiting the alias thru ~/.bashrc. This is not many times harder. This is, in fact, an easy (although sort of convoluted) attack vector.

Attacks like this one require that someone or something had physical/logical (e.g., walking in and finding an unsecured session, or by an installed malicious program, or via the Web) access to the user account. If none above applies, then there is no attack.

"please stop talking about userlvl trojans or keylogger because as I pointed very clearly out int the forum it's not possible..."
Sorry. It is possible. Your example of a fakesudo is a perfectly valid example of a keylogger.

keylogger: program/hardware that intercepts keystrokes, either all or a subset.

fakesudo: a program that intercepts keystrokes and eventually passes them to the real sudo.

So fakesudo *is* a keylogger.

"...to steal root-pwd with them"

Huh. A comment here: if your sudo implementation requires an user to type in the root password to gain access to root... this is bad security. Really. A decent sudo implementation will require the *user* password, and will limit access to some subset of commands.

"And just because other distros have the same bug, doesn't mean it is good, does it?"

No, it certainly does not. The problem we seem to be having is on accepting (or not) what you proposed as a bug. It is *NOT* a bug. It is the result of some bad choices by the user (and the sysadmins, probably).

"And also this stupid example with physical access...I'm really sick that I even mentioned it but never thought people would understand it so mindless...."

s/physical/physical l |network/g

Otherwise, how will this be exploited?

"...the rest of the rant..."

This is a rant. As such, it deserves no response (although I am aware this sentence *is* a response).

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers