Bug 818

Summary: Security issue
Product: Sudo Reporter: Duncan Overbruck <sudo>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: security    
Priority: low    
Version: 1.8.21   
Hardware: PC   
OS: Linux   

Description Duncan Overbruck 2017-12-14 11:05:30 MST 
Hello Sudo maintainers,

I found a security issue that I would like to report, Is this the correct bug tracker?
If this is the right place and the Issue is private I post further information.

Greetings,
Duncan Overbruck
Comment 1 Todd C. Miller 2018-01-18 12:41:27 MST 
[copying from an email thread, with permission]

The issue I want to report is that its fairly simple to reproduce
a process that would allow to reuse a timestamp tty_ticket or ppid
timestamps.

I somehow think this is a known issue that is just ignored or forgotten,
that is why tried to find a solution for this problem. I hope I'm not wasting
your time and can help improve sudo by reporting this.

I think a good solution would be to save the start time of the session leader
for TS_TTY and the start time of the parent process for TS_PPID timestamps.

On linux `/proc/$pid/stat` has a `starttime` field which would allow to restrict
timestamp to the lifetime of a parent process or the terminal session.

I wrote a PoC for it and its working great, its not fully automated.
The PoC needs the session id as input and expects the the next new pts
has already a timestamp and that the PID of the session leader is available.

```
~@pi$ ssh -t localhost 'sudo id && echo $$'
Password:
uid=0(root) gid=0(root) groups=0(root)
13601
Connection to localhost closed.
~@pi$ ./hijack_timestamp 13601
ttyname=/dev/pts/4
uid=0(root) gid=0(root) groups=0(root)
```

The new TS_PPID are even simpler to reuse in the same way,
just without the pty part.
Comment 2 Todd C. Miller 2018-01-18 12:42:40 MST 
This is fixed in sudo 1.8.22 which includes the start time of either the tty session leader or the parent process (depending on the timestamp_type setting and what is available).