[ale] security hole?

Richard Bronosky Richard at Bronosky.com
Thu Jul 30 06:59:59 EDT 2009


Does it only work with mount? Could you try the steps again with sudo
touch /etc/test

On 7/30/09, Tim Watts <timtw at earthlink.net> wrote:
> Hi,
>
> What's wrong with this picture?
>
> -------------------------------------------------
> timtw at dellberry:~$ sudo -K
>
>
> timtw at dellberry:~$ echo | sudo -S mount /dev/sda5 /mnt >/dev/null
>
> timtw at dellberry:~$ echo $?
> 0
>
> timtw at dellberry:~$ mount
> <...snip...>
> /dev/sda5 on /mnt type ext3 (rw)
>
> timtw at dellberry:~$ sudo umount /mnt
> [sudo] password for timtw:{i hit ^C here}
>
> timtw at dellberry:~$ echo | sudo -S umount /mnt >/dev/null
>
> timtw at dellberry:~$ echo $?
> 0
>
> timtw at dellberry:~$ mount
> /dev/sda5 on / type ext3 (rw,relatime,errors=remount-ro)
> tmpfs on /lib/init/rw type tmpfs (rw,nosuid,mode=0755)
> /proc on /proc type proc (rw,noexec,nosuid,nodev)
> sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
> varrun on /var/run type tmpfs (rw,nosuid,mode=0755)
> varlock on /var/lock type tmpfs (rw,noexec,nosuid,nodev,mode=1777)
> udev on /dev type tmpfs (rw,mode=0755)
> tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
> devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=620)
> fusectl on /sys/fs/fuse/connections type fusectl (rw)
> lrm on /lib/modules/2.6.27-14-generic/volatile type tmpfs (rw,mode=755)
> securityfs on /sys/kernel/security type securityfs (rw)
> binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc
> (rw,noexec,nosuid,nodev)
> mtpfs on /media/mtp type fuse.mtpfs (rw,nosuid,nodev,allow_other)
>
> timtw at dellberry:~$
> -------------------------------------------------
>
> Here's the key point: I was able to perform privileged actions while my sudo
> "token" was expired WITHOUT entering a password. Now it's true that a person
> without sudo privileges couldn't do this but it still seems like a hole to
> me.
> The odd thing is that without the >/dev/null (or any redirect), the commands
> fail as expected. This does NOT happen on my machine with kernel version
> 2.6.27-7-generic.
>
> Can anyone reproduce this?
>
> Here's the relevant version info:
> -------------------------------------------------
> timtw at dellberry:~$ sudo -V
> Sudo version 1.6.9p17
>
> timtw at dellberry:~$ bash --version
> GNU bash, version 3.2.39(1)-release (i486-pc-linux-gnu)
> Copyright (C) 2007 Free Software Foundation, Inc.
>
> timtw at dellberry:~$ mount --version
> mount from util-linux-ng 2.14 (with libvolume_id and selinux support)
>
> timtw at dellberry:~$ uname -a
> Linux dellberry 2.6.27-14-generic #1 SMP Tue Jun 30 19:57:39 UTC 2009 i686
> GNU/Linux
>
> timtw at dellberry:~$ cat /etc/*rel*
> DISTRIB_ID=Ubuntu
> DISTRIB_RELEASE=8.10
> DISTRIB_CODENAME=intrepid
> DISTRIB_DESCRIPTION="Ubuntu 8.10"
>
> timtw at dellberry:~$
> -------------------------------------------------
>
>
> --
> A banker is a fellow who lends you his umbrella when the sun is shining, but
> wants it back the minute it begins to rain.
>  -- Mark Twain
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>

-- 
Sent from my mobile device

.!# RichardBronosky #!.


More information about the Ale mailing list