cross-platform virus

Sasha Tsykin stsykin at gmail.com
Sun Apr 9 08:55:09 BST 2006 

Peter Garrett wrote:
> On Sun, 09 Apr 2006 12:11:12 +1000
> Sasha Tsykin <stsykin at gmail.com> wrote:
> 
>> Peter Garrett wrote:
>>> On Sun, 09 Apr 2006 02:36:54 +0200
>>> Hein-Pieter van Braam <hp at syntomax.com> wrote:
>>>
>>>> Try opening synaptic twice in a row, the login environment that gnome is
>>>> in still holds the sudo ticket, and this it can restart an app without
>>>> asking for the password again. I am guessing that is the concern 
>>> Indeed, you are right - perhaps the sudo "ticket" in this case should
>>> apply only for the app concerned. Not sure if that is possible, but this
>>> does look like a loophole.... Any app requiring sudo seems to open happily
>>> without a password  if started after, say, synaptic during the time out
>>> period.   : (  ...
>>>
>> Only if it is in the same terminal window.
>>
> Actually Sasha, I should have been more specific. My previous post said:
> 
> <quote>
> The balance of probabilities is still heavily stacked against the attacker
> - the time-out applies only to the shell from which the sudo command is
> run.
> 
> For instance, run
> 
> sudo echo foo
> 
> from one terminal - now open another and run it again from the new one.
> You get asked for a password  ( unless you were previously using pts/2 or
> whatever the new shell is with sudo, and just reopened it)
> 
> In other words, if the user had just run synaptic from the menu , and then
> opened a terminal and ran the malware affected program, sudo would still
> request a password.
> 
> </quote>
> 
> The later post, (as you quoted me at the top of this one), was a response
> to Hein-Pieter van Braam, agrreing with his point, on the following
> grounds:
> 
> If you start synaptic (for example) from the *menu*, then start another
> app requiring gksudo/sudo soon afterwards *from the menu*, you will see
> that no password is asked the second time - as Hein-Pieter says, this is
> because both are started from the same gnome-spawned shell.
> 
> So we don't disagree, but Hein-Pieter has pointed out a case where the
> scenario is trivially easy to reproduce.
> 
> Peter
> 
> 
Fair enough, it actually is quite a worrying scenario. If, for example, 
the menu entry for synaptic were to be targeted, and changed to load a 
virus instead, then you would type the password into gksudo without 
realising you are activating a virus. This definitely needs to be fixed. 
Maybe if there is the command being run in BIG LETTERS next to the place 
where you type in your password.

Sasha

More information about the sounder mailing list