Bug 666

Summary: The timeout after entering a wrong password is easy to skip
Product: Sudo Reporter: sudobugs
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal    
Priority: low    
Version: 1.8.11   
Hardware: PC   
OS: Linux   
Attachments: Patch to block SIGINT and SIGQUIT during password verification.

Description sudobugs 2014-09-26 07:08:15 MDT 
You can simply skip the timeout that comes up after you entered a wrong password in sudo by hitting CTRL-C.

Steps to reproduce:
1. Execute "sudo test"
2. Enter some wrong password or just press enter
3. Instead of waiting until sudo shows "Sorry, try again." now hit CTRL-C and see how it immediately shows "Sorry, try again." and asks you again to give your password.

This weird behaviour should at least make it possible to do some sort of dictionary attack on a users password in a reasonable time.

Tested and verified with sudo 1.8.11 (arch testing), 1.8.10 (arch) and 1.8.9 (ubuntu 14.04 LTS).

Regards
Comment 1 Todd C. Miller 2014-09-26 09:58:45 MDT 
Sudo installs a signal handler that just writes to a pipe before the command is executed (a separate signal handler is used during password entry itself).   Since any signal received will interrupt a sleep, this has a side effect of ending the sleep done by pam_unix.  The simplest solution is probably to just block SIGINT and SIGQUIT during authentication.

Ideally, CTRL-C should also cause sudo's password reading loop to terminate which is a bit more complicated since we don't want it to prevent logging from happening.
Comment 2 Todd C. Miller 2014-09-26 14:58:59 MDT 
Created attachment 430 [details]
Patch to block SIGINT and SIGQUIT during password verification.

The attached patch should do the trick.  It is no longer possible to interrupt the sleep in pam_unix and the password loop will exit afterwards if the user enters ^C during the sleep.
Comment 3 Todd C. Miller 2014-10-08 02:33:08 MDT 
Fixed in sudo 1.8.11p1, available now.