Mar 112014

Last year there was a bug in OS X that allowed a local attacker to gain root privileges by abusing sudo’s cache. A few month earlier (January 2013) I informed Apple about a similar problem caused by OS X’s default tty_tickets = off setting. This insecure configuration allows all applications to misuse a cached sudo authentication within the cache timeout. The same issue was discussed in this thread on the Debian mailing list in 2010!

The sudo man page reads:

[…] Once a user has been authenticated, a timestamp is updated and the user may then use sudo without a password for a short period of time […]

As Mac OS X uses the default value, a 5 minute timeout is used. That means if a admin user runs sudo, a malicious script can run privileged commands without any further user interaction for 5 minutes. My PoC installs a launchd configuration file (sh.bogner.sudo_escalation.plist) that loads at startup. This script tries to launch as root as soon as the user used sudo.


How to Reproduce

  1. The PoC has to be installed (with the installer command)
  2. The currently logged in user has to be member of the admin group
  3. The user or any application (like an installer) has to use the sudo command
    Like: sudo echo “Show me what the PoC does”
  4. should be launched as root

My bug report was acknowledged and ignored. This problems exists on all fully patched versions of OS X including Snow Leopard (10.6), Lion (10.7), Mountain Lion (10.8) and Mavericks (10.9). That’s a really bad time to fix!

The Fix

The reaction time is especially disappointing as the fix is very easy and without any side effects (at least for me):

  1. Open a terminal window and type (or better copy and paste):
    export EDITOR=nano #you can skip this step if you know how to use vi
    sudo visudo #enter you password afterwards
  2. Add the following line after Defaults env_keep += “HOME MAIL” (it should look like this):

    Defaults        tty_tickets
  3. Press [CTRL]+[o] followed by [ENTER] to save your changes
  4. and [CTRL]+[x] to exit the editor
  5. Now you can verify your steps by retesting the PoC

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>