cross-platform virus

John dingo at coco2.arach.net.au
Mon Apr 10 01:14:40 BST 2006 

Daniel Robitaille wrote:
> On 4/8/06, Shawn McMahon <smcmahon at eiv.com> wrote:
> 
>>On Sat, Apr 08, 2006 at 10:57:37AM +0800, Senectus . said:
>>
>>>   6. su root
>>>   7. make install
>>
>>If we're going to install viruses, let's do it the "right" way:
>>
>>sudo make install
> 
> 
> I always wondered about the potential of a problem with sudo in the
> context of a linux virus/worm script.  Let's say that "virus" had the
> line "sudo rm -Rf /", and that script/virus was run automatically
> because of an action of the user in an application with a bug/security
> weakness  (by reading an email, clicking a link in firefox, whatever).
>  Obviously it wouldn't work (sudo needs to ask for a password), unless
> the user had done a sudo command within the last 15 minutes, and the
> sudo command still has a token not to ask for a new password.
> 
> Wouldn't making Ubuntu's sudo asking for a password every single time
> instead of the current once-per-15-minutes  make the OS more secure
> and immune to this type of simple script with a damaging payload?  But
> of course that would be annoying while using sudo in our day-to-day
> usage, but for an increased security I would consider doing it (and
> actually do on one of my system)

sudo's tickets can be tied to a specific tty; while not foolproof, it 
makes the use of sudo to do this kind of thing rather problematic, 
requiring the victim to
1. Create a new tty (eg open konsole or gnome-terminal)
2. Authenticate using sudo
3. Undo 1.

Only then might the victim be vulnerable.

To exploit the vulnerability, the attacker then needs the attack vector. 
Knowledgable users should check their email clients & such to check that 
they do not automatically run executable content (some years ago kmail 
tried but failed as it didn't do the chmod); if they do, then report it 
as a bug and, as needed, argue for it to be fixed.


Note that one does not have to be root to do evil things. Root kits _I_ 
have seen would have been more effictive if not run as root - buggering 
up /bin and /sbin wrongly causes the system to not run and then it's 
immediately apparent something's wrong. OTOH quitely installing an IRC 
bot as an existing (or maybe new) user may well go undetected for quite 
some time.

More information about the sounder mailing list