Re: Debian package manager privilege escalation attack

To: debian-devel@lists.debian.org
Subject: Re: Debian package manager privilege escalation attack
From: Brian Thompson <brian@hashvault.io>
Date: Thu, 12 Aug 2021 01:12:37 -0500
Message-id: <[🔎] a91c91916c65e7504d7a035063e08f9f4effffce.camel@hashvault.io>
In-reply-to: <[🔎] 31b54d97-15b4-7cc3-d083-1fe3a664ee91@thykier.net>
References: <[🔎] CAO6YxPyH5DKH8TB8o=EsE0CesqrqP_Uh1+5DiJOeJjaaY9bPng@mail.gmail.com> <[🔎] 31b54d97-15b4-7cc3-d083-1fe3a664ee91@thykier.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Thu, 2021-08-12 at 07:38 +0200, Niels Thykier wrote:
> Timothy M Butterworth:
> > All,
> > 
> > I just ran across this article
> > https://blog.ikuamike.io/posts/2021/package_managers_privesc/ I
> > tested
> > the attacks on Debian 11 and they work successfully giving me a root
> > shell prompt.
> > 
> > Tim
> > 
> 
> Hi Tim,
> 
> All of the attacks presented assumes that the local user has "sudo"
> permissions to run apt and use that as the basis for escalating
> privileges (not commenting on yum or snap).
> 
> I think it is a good demonstration of how some sudo policies are too
> lenient and can be exploited.  Though I am not sure this is a bug in
> apt, as I do not think apt ever promised to be "safe" to use from a
> constrained sudo policy.
> 

Would you agree that there is an issue with sudo access that is enabled
by default on most Debian and Debian-based distributions? The bug may
not be in apt, but it definitely lives somewhere.

> Thanks,
> ~Niels
> 
-----BEGIN PGP SIGNATURE-----

iQJHBAEBCgAxFiEE9fpVo96/flopdKOfgw2Ncu3Nhn0FAmEUu9UTHGJyaWFuQGhh
c2h2YXVsdC5pbwAKCRCDDY1y7c2Gfb8QD/sH4ko8qsI7Dxyf4t8oM7bRWnGeyYXG
C+e/7kb8ePKXJcSIspbzlEHefsp/chqjWQnA8f3Kqjdn77eGVecxk5O7cyN0nJyC
Ih3LyLvuU2CoeLsPw7+0g4Ta81sdNh22xl/M1V3Fkbg5E1AWL7dSLwuj7LzgH5Fo
w/YudfGKiyZD7gtdgOP3rfae0rLsgxklUsZQOSEEHyYGuwWZRhwNimWnytKI9XC2
z4LrAxeW07e3GA/RjUWp86/+Lub7RchirCvkV2HpAFRY88mBQbHGLjskyRma3FQ4
rfkuGOQ8R34MHuth7HeSjzuKQhqQ7FRFbH5n0rPB1O20jnjbtO/0UuQ88Foha2Um
+S//kLXXpPEo/52nBGnT9KmRTTaMAmqbZPTuE2F5T2hLtNBhgK8HPEcMpn7jW1vT
EYYg3aoNvO6pFe0jL9gGomViS+JoCcFkXQI4xaPqkQchjOkTaQNym8alxDiZqwEk
rKq8Fz3mTlMYQHpuTM9qNLPCkTWlMg+mFsEarZJcWtjrHiqIKFFPAH+G9SMqHRxD
LUcU0iKcoZtBvtSnDnt8QFhwc9eWPFqitoPihliAkfORC7KMmMJ5QgEd0TN/5r6n
LmyVo7n8zF2D1ZwUAty3WfWMpRgx8TC2keXsuLWyqW9EZO/PSQplO86tjzYDYWfg
WgY5vDsL7eMzFg==
=QmLv
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: Debian package manager privilege escalation attack
  - From: Andrey Rahmatullin <wrar@debian.org>
- Re: Debian package manager privilege escalation attack
  - From: Holger Levsen <holger@layer-acht.org>

References:
- Debian package manager privilege escalation attack
  - From: Timothy M Butterworth <timothy.m.butterworth@gmail.com>
- Re: Debian package manager privilege escalation attack
  - From: Niels Thykier <niels@thykier.net>

Prev by Date: Re: Debian package manager privilege escalation attack
Next by Date: Re: Debian package manager privilege escalation attack
Previous by thread: Re: Debian package manager privilege escalation attack
Next by thread: Re: Debian package manager privilege escalation attack
Index(es):
- Date
- Thread