Bugzilla – Bug 666
The timeout after entering a wrong password is easy to skip
Last modified: 2014-10-08 02:33:08 MDT
You can simply skip the timeout that comes up after you entered a wrong password in sudo by hitting CTRL-C. Steps to reproduce: 1. Execute "sudo test" 2. Enter some wrong password or just press enter 3. Instead of waiting until sudo shows "Sorry, try again." now hit CTRL-C and see how it immediately shows "Sorry, try again." and asks you again to give your password. This weird behaviour should at least make it possible to do some sort of dictionary attack on a users password in a reasonable time. Tested and verified with sudo 1.8.11 (arch testing), 1.8.10 (arch) and 1.8.9 (ubuntu 14.04 LTS). Regards
Sudo installs a signal handler that just writes to a pipe before the command is executed (a separate signal handler is used during password entry itself). Since any signal received will interrupt a sleep, this has a side effect of ending the sleep done by pam_unix. The simplest solution is probably to just block SIGINT and SIGQUIT during authentication. Ideally, CTRL-C should also cause sudo's password reading loop to terminate which is a bit more complicated since we don't want it to prevent logging from happening.
Created attachment 430 [details] Patch to block SIGINT and SIGQUIT during password verification. The attached patch should do the trick. It is no longer possible to interrupt the sleep in pam_unix and the password loop will exit afterwards if the user enters ^C during the sleep.
Fixed in sudo 1.8.11p1, available now.