Mar 112014
 

Last year there was a bug in OS X that allowed a local attacker to gain root privileges by abusing sudo’s cache. A few month earlier (January 2013) I informed Apple about a similar problem caused by OS X’s default tty_tickets = off setting. This insecure configuration allows all applications to misuse a cached sudo authentication within the cache timeout. The same issue was discussed in this thread on the Debian mailing list in 2010!

The sudo man page reads:

[…] Once a user has been authenticated, a timestamp is updated and the user may then use sudo without a password for a short period of time […]

As Mac OS X uses the default value, a 5 minute timeout is used. That means if a admin user runs sudo, a malicious script can run privileged commands without any further user interaction for 5 minutes. My PoC installs a launchd configuration file (sh.bogner.sudo_escalation.plist) that loads sudo_escalation.sh at startup. This script tries to launch Terminal.app as root as soon as the user used sudo.

Download

How to Reproduce

  1. The PoC has to be installed (with the installer command)
  2. The currently logged in user has to be member of the admin group
  3. The user or any application (like an installer) has to use the sudo command
    Like: sudo echo “Show me what the PoC does”
  4. Terminal.app should be launched as root

My bug report was acknowledged and ignored. This problems exists on all fully patched versions of OS X including Snow Leopard (10.6), Lion (10.7), Mountain Lion (10.8) and Mavericks (10.9). That’s a really bad time to fix!

The Fix

The reaction time is especially disappointing as the fix is very easy and without any side effects (at least for me):

  1. Open a terminal window and type (or better copy and paste):
    export EDITOR=nano #you can skip this step if you know how to use vi
    sudo visudo #enter you password afterwards
  2. Add the following line after Defaults env_keep += “HOME MAIL” (it should look like this):

    Defaults        tty_tickets
  3. Press [CTRL]+[o] followed by [ENTER] to save your changes
  4. and [CTRL]+[x] to exit the editor
  5. Now you can verify your steps by retesting the PoC

  One Response to “Another Mac OS X Sudo Password Bypass”

  1. […] can potentially obtain the same access, making this a security risk. Utilities like sudo have weaknesses that can be exploited by concurrently running programs and many panes in System Preferences are unlocked by default [p. […]

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)