Re: Sudo: local root compromise with krb5 enabled

To: "James Downs" <egon@xxxxxxx>
Subject: Re: Sudo: local root compromise with krb5 enabled
From: "Mark Senior" <senatorfrog@xxxxxxxxx>
Date: Thu, 7 Jun 2007 13:55:52 -0600
Cc: "Thor Lancelot Simon" <tls@xxxxxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=bUPFxOWlTvOmPIl7nF0YZvQBGIc9sgLJqLQ57tHPMaKWXg8VhUO7JhRB7mkTpS2XTsLNzl3E1KxwZZKdkRE9qtv6d4BBEWLIinEp+Q8WEg2Fo9YyQznZT5VbP327UU8/SYFmI5emUCs2e50IkoLSwxr5CXITM3OgoLdlyACf2uo=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ciSZS1LB929h8BWBgPdiPp008rahWDiq7IJJNZC5/JEiEzMQUDZZhM5wpg8JCuoOZHefms6yLMmrXyUaF79jVOD+JFlsJDO+OFXDK/t6ePlNxZZJkkJZzkeicLfDk303fe/ri3aKm32odkkF8wlI6FKPUEU6AF9M/L560nth07A=
In-reply-to: <B0DAA497-490E-4A7B-85C0-9AC6AE946517@xxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20070607015725.GA22190@xxxxxxxxx> <B0DAA497-490E-4A7B-85C0-9AC6AE946517@xxxxxxx>

On 6/7/07, James Downs wrote:

On Jun 6, 2007, at 6:57 PM, Thor Lancelot Simon wrote:

> The 'sudo' package can be built to use Kerberos 5 for authentication
> of users.  When a user is properly authenticated to sudo, sudo grants

It should be noted that Kerberos is not an authorization system.  All
this case does is allow a user, who can already log into your system,
and already can use sudo, to bypass their real password.  If the user
can't do things as root, correct or incorrect password isn't buying
them much.

This IS a bug in handling kerberos authentication, but if the user
can log into the system, the user can use any version of sudo, and if
they're authorized, they already know their password, and can do
things as root.


In Suse Linux 10, the default /etc/sudoers has

...
Defaults targetpw    # ask for the password of the target user i.e. root
ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!
...

In other words, in the SuSE default config, sudo is just an
overcomplicated su - to sudo something as root, you need not your own
password, but root's - except you don't have to be in wheel to use it.

If sudo is configured as above, and uses kerberos, then all users
might be able to exploit this.

Follow-Ups:
- Re: Sudo: local root compromise with krb5 enabled
  - From: Todd C. Miller

References:
- Sudo: local root compromise with krb5 enabled
  - From: Thor Lancelot Simon
- Re: Sudo: local root compromise with krb5 enabled
  - From: James Downs

Prev by Date: [SECURITY] [DSA 1299-1] New ipsec-tools packages fix denial of service
Next by Date: Re: Sudo: local root compromise with krb5 enabled
Previous by thread: Re: Sudo: local root compromise with krb5 enabled
Next by thread: Re: Sudo: local root compromise with krb5 enabled
Index(es):
- Date
- Thread