MacNN Forums (
-   Mac News (
-   -   Flaw in Unix sudo command threatens OS X, Linux (

NewsPoster Aug 28, 2013 11:20 PM
Flaw in Unix sudo command threatens OS X, Linux
A <a href="">flaw in the Unix "sudo" program</a> that has remained unaddressed in recent implementations of OS X and some distributions of Linux could allow a current or former user who still has admin-level access to the computer the ability to gain root access, presenting a security risk. The flaw, discovered by security testing software maker <a href="">Metasploit</a>, requires would-be attackers to jump through a <a href="">number of hoops</a>, however.<br /><br />The possibility of an attacker successfully exploiting the vulnerability is pretty remote under most circumstances, but there are situations where the various requirements could be met, and the attack successful. The flaw, which involves resetting the target computer's clock, requires that the attacker already have admin-level privileges on the machine, have physical or remote access to it, and the attacker must have used the sudo command on the machine successfully once before. <a href="" rel='nofollow'>All three</a> of the conditions must be satisfied in order for the intruder to reset the computer's clock in the manner necessary to gain root privileges.<br />
<br />
By default under OS X, only the owner of the machine has administrator privileges, and remote sharing is off -- completely preventing non-users or remote attackers from being able to even begin utilizing the exploit. The fact that the attacker must be a person who still has admin-level access to the machine narrows the risk quite considerably. Further, it is thought that only a single-digit percentage of Mac users ever engage the sudo command at all, which requires the use of the Terminal program.<br />
<br />
However, a scenario such as a recently-fired employee of a company, a jilted lover or an abusive mate that still has an admin-level account on the target machine could conceivably have both the access and the technical know-how to exploit the flaw and gain full access to all files on the target computer. On the Mac, the bug exists in all recent versions of OS X from 10.7 onwards. Under Linux, the flaw either exists or has been worked around depending on the particular distribution.<br />
<br />
Apple may be waiting for its upcoming release of the next major version of OS X, called Mavericks, to address the vulnerability -- reasoning that the chances of an attack are sufficient low as to be not be a high-priority item. To date, there have been no known successful attacks exploiting the flaw. However, Metasploit went public in order to urge Apple to address the problem promptly.<br />
<br />
The company's motives in revealing the problem may be suspect, however, as Metasploit <a href="" rel='nofollow'>sells</a> "penetration-testing software" for security and IT professionals, and thus has a vested interest in making its audience aware of potential security risks for the Mac and other platforms. Apple was notified of the problem five months ago, but has not issued a formal public or private response. The iPhone maker has been known to be sometimes slow to respond to bugs found in open-source software, preferring to wait until a scheduled update or new release rather than patch problems as they come along for flaws the company doesn't see as likely.
burger Aug 29, 2013 10:26 AM
"The flaw, which involves resetting the target computer's clock, requires that the attacker already have admin-level privileges on the machine, have physical or remote access to it, and the attacker must have used the sudo command on the machine successfully once before."

coffeetime Aug 29, 2013 10:39 AM
Another word, if a robber stands inside your house, he can rob your house easily. Well, that makes sense. Why I hadn't thought about that?
JBracy Aug 29, 2013 11:14 AM
I'm confused. If an attacker has Admin privileges why would he need to reset the clock to get root privileges? All admin users already have sudo access.

To expand on coffeetime's comment - it's actually saying "If you're roommate is in your house and has the keys, then he can take whatever he wants. If you kick him out, but don't change the locks or take away his keys then he can still come in and take whatever he wants."

I'd like to know how other OS's have "mitigated" this "exploit" without completely disabling the sudo command.
gprovida Aug 29, 2013 11:35 AM
Concur with facepalm. Not sure I understand. The only explanation I can get is that there is some sloppy code software that allows an admin to bypass the normal means to get root access but using this flaw. Presumably the threat is not an admin user exploiting this, but rather some other kind of exploit might be doable given the software weakness. But this is pure speculation.
DiabloConQueso Aug 29, 2013 12:04 PM
"All admin users already have sudo access."

On Mac OS X's implementation of FreeBSD, yes.

On other *NIX systems, not always. Debian 7 is an example of administrators not having sudo privileges until explicitly given them by the superuser by addition of their account to the sudoers file. Hell, sudo isn't even installed by default on Debian 7 systems -- you must either install it, or use su, which requires knowledge of the root/superuser password.

It's definitely a security hole, albeit one that more than most users will never have to worry about (but for sysadmins who manage enterprise-level *NIX systems with multiple administrator users, it's a relatively big concern). Still, this is what makes UNIX one of the most powerful and secure systems on the earth -- it's been under constant development and hardening for over 40 years.
The Vicar Aug 29, 2013 08:53 PM
The point is that if the attacker can exploit this flaw, then they never have to enter a password again. (They could even create a user which the OS would think was a non-admin user -- IIRC the "admin" thing is determined by membership in a particular group -- grant it permanent root privileges, and then log out.) Situations where this is important are rare, but technically possible. Bottom line: it's good for everyone if Apple fixes security holes, even minor ones. Especially if the fix already exists and can be patched in, which appears to be the case here.
All times are GMT -4. The time now is 02:08 PM.

Copyright © 2005-2007 MacNN. All rights reserved.
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2017, vBulletin Solutions, Inc.

Content Relevant URLs by vBSEO 3.3.2