Last year there was a bug in OS X that allowed a local attacker to gain root privileges by abusing sudo’s cache. A few month earlier (January 2013) I informed Apple about a similar problem caused by OS X’s default tty_tickets = off setting. This insecure configuration allows all applications to misuse a cached sudo authentication within the cache timeout. The same issue was discussed in this thread on the Debian mailing list in 2010!
The sudo man page reads:
[…] Once a user has been authenticated, a timestamp is updated and the user may then use sudo without a password for a short period of time […]
As Mac OS X uses the default value, a 5 minute timeout is used. That means if a admin user runs sudo, a malicious script can run privileged commands without any further user interaction for 5 minutes. My PoC installs a launchd configuration file (sh.bogner.sudo_escalation.plist) that loads sudo_escalation.sh at startup. This script tries to launch Terminal.app as root as soon as the user used sudo.
How to Reproduce
- The PoC has to be installed (with the installer command)
- The currently logged in user has to be member of the admin group
- The user or any application (like an installer) has to use the sudo command
Like: sudo echo “Show me what the PoC does”
- Terminal.app should be launched as root
My bug report was acknowledged and ignored. This problems exists on all fully patched versions of OS X including Snow Leopard (10.6), Lion (10.7), Mountain Lion (10.8) and Mavericks (10.9). That’s a really bad time to fix!
The reaction time is especially disappointing as the fix is very easy and without any side effects (at least for me):
- Open a terminal window and type (or better copy and paste):
export EDITOR=nano #you can skip this step if you know how to use vi sudo visudo #enter you password afterwards
- Add the following line after Defaults env_keep += “HOME MAIL” (it should look like this):
- Press [CTRL]+[o] followed by [ENTER] to save your changes
- and [CTRL]+[x] to exit the editor
- Now you can verify your steps by retesting the PoC