Re: where to submit low security vulnerability in .profile?
Greg Wooledge writes:
> On Mon, Jun 19, 2017 at 06:00:58PM +0200, Nicolas George wrote:
>> Le primidi 1er messidor, an CCXXV, Henrique de Moraes Holschuh a écrit :
>> > That said, no, it is not usually considered a security vulnerability,
>> > because NOT using the full path to run commands such as "su" and "sudo"
>> > in the first place IS considered gross negligence.
>>
>> If your account has been compromised so much that an attacker was able
>> to add something in ~/bin/, then using the full path of the commands
>> does not bring any extra security.
>
> Henrique, I believe, was describing an attack that works like this:
>
> 1) Login.
> 2) PATH=~/bin:$PATH
> 3) vi ~/bin/su (insert malicious code); chmod 755 ~/bin/su
> 4) Call the system administrator, and get him/her to come to your desk.
> 5) Get the sysadmin to run "su -c something" for you at your desk.
> This runs your password-capturing program, which records the root
> password somewhere you can retrieve it after the sysadmin leaves.
Typing /bin/su instead doesn't help against this attack, for example zsh
allows:
$ alias /bin/su="echo Hallo"
$ /bin/su
Hallo
Or one could just present something that looks and behaves like the
normal shell except when /bin/su is called. Or use the DEBUG trap in
bash. Or...
In short, it is never safe to run `su` and enter a password from an
untrusted account. And one should regard all accounts one uses `su`
from as equivalent to root (for misuse; the password just helps
against breaking some things by accident).
Ansgar
Reply to: