undefined | Better HN

0 pointsLeifCarrotson1y ago0 comments

They can execute anything they like as root... by entering their password.

This post shows a way that clever code can execute anything it likes as root without knowing the user's password. That seems pretty significant to me.

0 comments

rlpb1y ago

> They can execute anything they like as root... by entering their password.

If it has control of your user account, then it can just arrange to wrap your shell prompt and wait for you to sudo something else. The sudo password prompt in its default arrangement doesn't really provide much security there and isn't expected to.

withinboredom1y ago

On a server, you may be waiting months for that human to login and use sudo. Maybe even years.

chmod7751y ago

On a properly configured server you'll be waiting forever, because the users actually running the applications on that server aren't the same users who have privileges to make changes to the system or have access to stuff like sudo. So if you take over the nginx/postgres/whatever user, you're not really going to get anywhere.

On the other hand you probably don't need to. Those users already expose all the juicy data on the server. You don't gain much from obtaining root anyways, except better persistence.

This attack might be more interesting when chained with some other exploit that gains access to a users system via their e-mail client or browser. In other words nice if you're NSO Group making exploits for targeting individuals, but not that useful if you're trying to make a botnet.

rlpb1y ago

That's not really relevant nowadays. Most attacks are done indiscriminately and en-masse, so an attacker wouldn't have to wait very long in practice.

Only in "advanced persistent thread" territory is your point really relevant, but the attack I describe is much more widely applicable. Having to wait a while is therefore not in any way a mitigation. In practice then, one cannot assume any security from sudo requiring a password.

https://en.wikipedia.org/wiki/Advanced_persistent_threat

nneonneo1y ago

Somewhat tangentially, I will say that Touch ID-based sudo is a real upgrade over password sudo. It still gives you that extra moment to reflect on whether you really want to run that command (unlike passwordless sudo), without being burdensome.

akira25011y ago

Using print server vulnerabilities to gain local privilege escalation is reminiscent of Windows 95. The year of "Linux on the Desktop," I guess.

Yasuraka1y ago

In fact it's also reminiscent of Windows 11.

j / k navigate · click thread line to collapse

0 comments

rlpb1y ago

> They can execute anything they like as root... by entering their password.

withinboredom1y ago

On a server, you may be waiting months for that human to login and use sudo. Maybe even years.

chmod7751y ago

On the other hand you probably don't need to. Those users already expose all the juicy data on the server. You don't gain much from obtaining root anyways, except better persistence.

rlpb1y ago

That's not really relevant nowadays. Most attacks are done indiscriminately and en-masse, so an attacker wouldn't have to wait very long in practice.

https://en.wikipedia.org/wiki/Advanced_persistent_threat

nneonneo1y ago

akira25011y ago

Using print server vulnerabilities to gain local privilege escalation is reminiscent of Windows 95. The year of "Linux on the Desktop," I guess.

Yasuraka1y ago

In fact it's also reminiscent of Windows 11.

j / k navigate · click thread line to collapse