Bug 910

Summary: Timestamp update permits privilege escalation with expired token
Product: Sudo Reporter: Nick Geron <ngeron>
Component: SudoersAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal    
Priority: low    
Version: 1.8.23   
Hardware: PC   
OS: Linux   
Attachments: Diff to defer time stamp update until after approval

Description Nick Geron 2019-12-03 10:55:17 MST 
Commit 594c2d4efd5c5492ef39125456bb30e2a5c8a250 on Jan 16, 2018 introduced a new approval function which introduces an issue when handling expired passwords.

On a high level the old behavior was to:

1) check the timestamp (pass if current)
2) verify the user (auth and approval)
3) update the timestamp on success

For the pam plugin, responses for both pam_authenticate and pam_acct_mgmt were evaluated before updating the timestamp. If one cancels during a password reset the timestamp is not updated and subsequent execs will require a new auth.

In splitting the auth and approval the behavior is now:

1) check the timestamp
2) verify the user (auth only)
3) update the timestamp on success
4) check approval (potentially req pass change) 

The trouble this introduces is that if a user has an expired password on a pam based system, they can escalate with the expired password by exiting during the password change operation; subsequent execs bypass pam auth due to the updated timestamp. Depending on identity management system configuration, this could permit the user indefinite continued use of the expired password if secondary controls are not in place.

-bash-4.2$ sudo -s
[sudo] password for myuser:
Password expired. Change your password now.
sudo: Account or password is expired, reset your password and try again
Current Password:
sudo: unable to change expired password: Authentication token manipulation error
-bash-4.2$ sudo -s
bash-4.2# exit
exit
-bash-4.2$ sudo -s
bash-4.2# exit
exit
-bash-4.2$
Comment 1 Todd C. Miller 2019-12-03 13:04:27 MST 
At the time I didn't think it was a major problem for the time stamp to be based on authentication of the old password since the approval function is called even when no password is required.  I'm a little confused as to why the approval module doesn't require a password change the second time sudo is run.
Comment 2 Todd C. Miller 2019-12-03 13:05:07 MST 
Created attachment 536 [details]
Diff to defer time stamp update until after approval
Comment 3 Todd C. Miller 2019-12-03 13:10:39 MST 
Note that the attached diff is relative to sudo 1.8.29.  To apply to 1.8.23 you'll need to adjust the call to sudo_auth_approval() to not include the exempt flag.
Comment 4 Nick Geron 2019-12-04 10:51:13 MST 
Thanks for the fast response, Todd. Your changes worked great. I confirmed the expected behavior this morning.

Will this update be worked into the next release?
Comment 5 Todd C. Miller 2019-12-04 12:39:19 MST 
I just committed that diff so it will appear in the next sudo release.
Comment 6 Todd C. Miller 2019-12-31 15:06:42 MST 
Fixed in sudo 1.8.30