Only the superuser may set the date, and if the system securelevel (see
securelevel(7)) is greater than 1, the time may not be changed by more
than 1 second.
If that's true IMO that's the security issue, not the arguably strange behaviour of sudo in a situation that should never occur.
`date` still behaves as one expects.
env_reset
If set, sudo will run the command in a minimal
environment containing the TERM, PATH, HOME, MAIL,
SHELL, LOGNAME, USER, USERNAME and SUDO_* variables.
Any variables in the caller's environment that match
the env_keep and env_check lists are then added,
followed by any variables present in the file specified
by the env_file option (if any). The default contents
of the env_keep and env_check lists are displayed when
sudo is run by root with the -V option. If the
secure_path option is set, its value will be used for
the PATH environment variable. This flag is on by
default.
Also, you can not use LD_PRELOAD on sudo itself, as it is disabled for setuid binaries.
[0]: http://www.openwall.com/lists/oss-security/2013/02/27/22
http://www.ubuntu.com/usn/usn-1754-1/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1775
I can think of a handful of corporate machines (e.g. web servers) I've had pubkey access on where sudo allowed the real admin to gain root from the same account via sudo.
http://thread.gmane.org/gmane.linux.network/260061
bad times :/
On the other hand my system here still crashes if I type file:/// with one big letter.
It's certainly worth mentioning (and patching), but I wouldn't describe it as "and boom you're root".
On desktop machines getting root is almost useless, you have all the sensitive information on the user account. Unless the attacker wants to install a rootkit in the kernel or open raw sockets or stuff like that. But if they can run arbitrary code with your UID you've probably already lost anyway.
I wonder, does this require the user to be listed in sudoers with any privileges or is it just straight to root?
there's no confusion with sudo, it's running as designed. It compares the current timestamp to the user timestamp to determine whether to ask for a password or not. The first flaw is in the date command allowing unprivileged users to set the time. The second is that the -K flag to sudo makes the -k flag obsolete, so the latter should be dropped.
There are much easier attack vectors.
-g Normally, ntpd exits with a message to the system log if the offset exceeds the panic
threshold, which is 1000 s by default. This option allows the time to be set to any value
without restriction; however, this can happen only once. If the threshold is exceeded after
that, ntpd will exit with a message to the system log. This option can be used with the -q
and -x options. See the tinker command for other options.When a user successfully authenticates with sudo, a time stamp file is updated to allow that user to continue running sudo without requiring a password for a preset time period (five minutes by default). The user's time stamp file can be reset using "sudo -k" or removed altogether via "sudo -K".
A user who has sudo access and is able to control the local clock (common in desktop environments) can run a command via sudo without authenticating as long as they have previously authenticated themselves at least once by running "sudo -k" and then setting the clock to the epoch (1970-01-01 01:00:00).
The vulnerability does not permit a user to run commands other than those allowed by the sudoers policy.
By default, sudo displays a lecture when the user's time stamp
file is not present. In sudo 1.6, the -k option was changed
to reset the time stamp file to the epoch rather than remove
it to prevent the lecture from being displayed the next time
sudo was run. No special case was added for handling a time
stamp file set to the epoch since the clock should never
legitimately be set to that value.sudo -k sets the timestamp to the epoch under the (misguided) assumption that the epoch will always be older than the configured time interval.
some distributions allow any user to change the system time without requiring root privileges. These are typically user-friendly, single-user distributions, but many people run these same distributions on multi-user server boxes as well.
so, if an attacker gains access to a user account, and assuming that user does have the right to sudo to root, the attacker can run these three commands to gain a root shell.
If you then change the date to be the same day (which can be done without root permissions in modern Linux distros by using polkit or similar things), then you can use sudo to run commands as root without a password.
Presumably, sudo checks the 'last-successful-login' entry alone before deciding whether to require a password. It ends up thinking you've previously successfully logged in even if you've never actually typed in the needed password.
In your planning always keep in mind that anyone with shell-access to your server can become root in one way or another, if he really wants to. There is little "defense in depth" after that point.
On OSX run sudo -k, open date and time prefs. Set date to 1970-01-01 00:00:00 including timezone offset (+1 for CET) then run sudo su
http://packages.debian.org/changelogs/pool/main/s/sudo/sudo_...
Why does 'sudo -k' not check to see if a timestamp exists, and avoid creating one if it doesn't yet exist?