[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian package manager privilege escalation attack

Timothy M Butterworth:
> All,
> 
> I just ran across this article
> https://blog.ikuamike.io/posts/2021/package_managers_privesc/ I tested
> the attacks on Debian 11 and they work successfully giving me a root
> shell prompt.
> 
> Tim
> 

Hi Tim,

All of the attacks presented assumes that the local user has "sudo"
permissions to run apt and use that as the basis for escalating
privileges (not commenting on yum or snap).

I think it is a good demonstration of how some sudo policies are too
lenient and can be exploited.  Though I am not sure this is a bug in
apt, as I do not think apt ever promised to be "safe" to use from a
constrained sudo policy.

Note that the blog post itself also mentions this:

"""
[...] In certain cases the user should not be a root/admin user but has
been assigned sudo permissions to run the package manager only for
package management purposes.

We’ll look at how this permission can be abused to gain root access to
the machine via a root shell.
"""
(from the "Introduction")

My reading is that "this permission" refers to the "assigned sudo
permissions".

Thanks,
~Niels
Reply to: