First Last Prev Next    This bug is not in your last search results.
Bug 163 - session handling vulnerability
session handling vulnerability
Status: RESOLVED INVALID
Product: Sudo
Classification: Unclassified
Component: Sudo
1.6.8
PC Linux
: normal security
Assigned To: Todd C. Miller
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-12-26 09:21 MST by Mravik Attila
Modified: 2004-12-30 00:05 MST (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mravik Attila 2004-12-26 09:21:21 MST 
Sudo asks a password for first use and then stores it for a "session". (I think
ist about 5 minutes or so.) I found that this session is binded to user but not
to any terminal. Meaning that if I login at tty1 and use sudo, "unlocking" it
with my password, a malicious user who got a user shell could use sudo without
password.
(Well at least one more security hole is required for gaining a user shell, but
this session handling could elevate the gained privileges to (semi) root
privileges.)
I use Debian Linux 3.1, and tested only on this particular OS.
Comment 1 Todd C. Miller 2004-12-29 20:05:11 MST 
Sudo supports per-tty ticket files via the tty_tickets sudoers option; see the sudoers manual for more 
info.  Note, however that unless you explicitly kill the ticket (sudo -k) when you logout, the same user 
logging in on the the same tty within 5 minutes will not be prompted for a password.
First Last Prev Next    This bug is not in your last search results.