Re: Sudo tricks

To: "Steven M. Christey" <coley@xxxxxxxxx>
Subject: Re: Sudo tricks
From: Javor Ninov <drfrancky@xxxxxxxxxxx>
Date: Wed, 29 Mar 2006 13:02:56 +0300
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <200603270026.k2R0QaVU026353@xxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Openpgp: id=06A3F982
Organization: Securax LTD
References: <200603270026.k2R0QaVU026353@xxxxxxxxxxxxxxx>
Reply-to: drfrancky@xxxxxxxxxxx
User-agent: Thunderbird 1.5 (Windows/20051201)

If we have access to another user ~/ why installing root kit and not use
some trivial attack ? like path attack as example or clean exec ?
installing a root kit on monitored system will yell alarms. as i
previously said if we have access to another user ~/ we have full access
to all privileges that this user have.
the main issue here is how we get access to the user ~/

about the local virus ..
in the example given by the author we compromise the user A which have
sudo to root
if we have knowledge of the target system we can easily make automated
program that compromises other users accounts but .. /there is always
but/ in order to compromise other users we will need bigger privs than
the user that we attack or some system wide exploit /which is sort of
bigger privs/. then if we have those privs why bothering writing a
automated program and not compromise them at once ?

the only scenario that this is useful is if we have a user A which can
execute commands in the context of a user B which can execute commands
in context of root
in that case if we have a way to compromise user A's ~/ then we can make
some automated program that gathers information ,even have some
predefined logic about handling some commands enabled in /etc/sudoers,
 and then exploit it. but thats a very rare case.

p.s.
sudo to root without pass ... c'mon you have to be kidding me, right ?

Javor Ninov aka DrFrancky
drfrancky[shift + 2]securax.org
securitydot.net

Steven M. Christey wrote:
>> So, in other words, all you need in order to get root access is a
>> rootkit, your shell script, and root access? Ummm... I don't get it.
> 
> I was also confused by this.  However, one guess is that by
> compromising an unprivileged account and creating command aliases to
> run trojaned su and sudo programs, the attacker can hopefully gain
> access to another account, then another, etc.  By using these sudo
> "privilege chains" the attacker might eventually obtain root access.
> 
> This attack would be slightly virus-like in behavior, although local
> to the system.  And it might accomplish less, and more slowly, than if
> the attacker used some other means to determine the explicit su/sudo
> relationships and exploit them directly (e.g. sudo -l to list allowed
> commands?)  And this attack sounds like it's entirely dependent on
> whether or not such a chain even exists on the system.  Insert
> standard text about the likelihood of easier attack vectors here.
> 
> Just a guess, though.  Interesting notion of a local-only "virus" to
> compromise users on a multi-user system, although it seems like just
> another way to exploit trust relationships once you've gained access
> to a local account.
> 
> - Steve

Attachment: signature.asc
Description: OpenPGP digital signature

References:
- Re: Sudo tricks
  - From: Steven M. Christey

Prev by Date: OSSTMM Security Analyst Training Live Stream on the Web
Next by Date: Re: On classifying attacks
Previous by thread: Re: Sudo tricks
Next by thread: [HV-PAPER] Security Product Evaluation Tips
Index(es):
- Date
- Thread