Lack of informations about the flaw of the use of sudo

Conno Boel conno.boel at solcon.nl
Thu Sep 22 06:55:12 UTC 2016 

Hello Edgard,

First of all, you guessed right about the list. It's mainly for
discussing and maintaining docs. A quick google shows me that you can
report Ubuntu vulnerabilities here:
https://wiki.ubuntu.com/SecurityTeam/FAQ#Contact

That being said, bash is a tool that comes with most distributions, so
maybe a little more googling might turn up an upstream reporting tool
for linux. (For me it didn't, but I didn't put in too much effort).

Also, even though I do agree that the behaviour can be dangerous, it's
like you yourself said: First you need write permission to the bashrc
file. Also, the targetted user needs to have sudo rights. (Else they are
not going to use sudo).
Also, if you can alias sudo with a fake sudo, you can actually alias
anything, so in that sense the attack is broader.

From all angles though, you'd also need file creation and the ability to
chmod the phising sudo file too, at which point I'd argue that the
target system is already breached anyways.

Which, in my limitted knowledge would make this a privilege escalation
vulnerability. Not to say it's not bad, but it's atleast not something
to directly panic about :)
I'm stil learning about this stuff though, so I might be wrong...

Either way; You can ignore my ramblings about the vulnerability though,
the reporting website is what you were looking for, yes?


Greetings,

Cornelis


On 22-9-2016 04:04, Edgard Schmidt wrote:
> Hi,
> at first, I have doubts whether this is the right place for noting
> this because I see mostly meta discussions here. If it is not: I would
> be glad, if you tell me the right place.
>
> I found some interesting texts about a fundamental flaw of the Ubuntu
> use of 'sudo' [1-4]. To summarize, let's say that an attacker can
> execute arbitrary code as a normal non-root desktop user, for example
> by making use of a browser exploit. The attacker could edit the users
> ".bashrc" file and insert the following line:
> alias sudo='bash ~/.malware/fake-sudo.sh'
> By copying a malicious "pishing sudo" to that path, the attacker could
> hijack the users password as soon as the users calls "sudo" next time
> [5]. After that, he is able to gain root access. Thus, from a security
> point of view, it does not matter whether the regular desktop user
> runs his desktop as root or not. It makes no difference.
>
> This security issue seems so obvious to me, that I am sure the
> maintainer already know it. However, many people do NOT know it.
> That's why I am posting this mail to the ubuntu-doc mailing-list. Am i
> right in assuming that the only purpose of "sudo" on Ubuntu is
> preventing Linux beginners from accidentally breaking their systems?
> If so, I have two suggestions:
>
> 1. The official documentation and the help wiki should point out this
> issue very plainly. Many people trust the "sudo" mechanism absolutely.
> There are a vast number of articles and tutorials which rely on
> "sudo". I am still doubtful about the issue because I cannot believe
> that so many people could err. I did not found any information about
> this problem on the Ubuntu pages but a small hint, which is likely
> being overlooked by the most readers [6].
>
> 2. In addition, some solutions, which fix this issue, should be
> described. I am not a security expert, but I guess, there exist
> possible ways:
> * On desktop systems: what about disabling "su" and "sudo" and
> allowing root logins via virtual consoles and secure attention keys [7]?
> * On server systems: some people recommend to restrict the permissions
> of the users for accessing their own home directories [8].
>
> Maybe my proposed "solutions" are nonsense. Nevertheless I just want
> to communicate the "message" to you since I am sure that something is
> wrong.
>
>
> 1.
> http://dmitry.khlebnikov.net/2015/07/should-we-use-sudo-for-day-to-day.html
> 2.
> http://unix.stackexchange.com/questions/8581/which-is-the-safest-way-to-get-root-privileges-sudo-su-or-login
> 3.
> https://www.scriptjunkie.us/2016/08/the-security-pretend-game-sudo-and-runas/
> 4. http://www.openwall.com/lists/owl-users/2004/10/20/6
> 5. https://en.wikipedia.org/wiki/Login_spoofing
> 6. https://help.ubuntu.com/community/RootSudo#Misconceptions
> 7. https://en.wikipedia.org/wiki/Secure_attention_key
> 8. Thanks to the Freenode chatters from ##security
>
>

More information about the ubuntu-doc mailing list