Bugzilla – Bug 818
Security issue
Last modified: 2018-01-18 12:42:40 MST
Hello Sudo maintainers, I found a security issue that I would like to report, Is this the correct bug tracker? If this is the right place and the Issue is private I post further information. Greetings, Duncan Overbruck
[copying from an email thread, with permission] The issue I want to report is that its fairly simple to reproduce a process that would allow to reuse a timestamp tty_ticket or ppid timestamps. I somehow think this is a known issue that is just ignored or forgotten, that is why tried to find a solution for this problem. I hope I'm not wasting your time and can help improve sudo by reporting this. I think a good solution would be to save the start time of the session leader for TS_TTY and the start time of the parent process for TS_PPID timestamps. On linux `/proc/$pid/stat` has a `starttime` field which would allow to restrict timestamp to the lifetime of a parent process or the terminal session. I wrote a PoC for it and its working great, its not fully automated. The PoC needs the session id as input and expects the the next new pts has already a timestamp and that the PID of the session leader is available. ``` ~@pi$ ssh -t localhost 'sudo id && echo $$' Password: uid=0(root) gid=0(root) groups=0(root) 13601 Connection to localhost closed. ~@pi$ ./hijack_timestamp 13601 ttyname=/dev/pts/4 uid=0(root) gid=0(root) groups=0(root) ``` The new TS_PPID are even simpler to reuse in the same way, just without the pty part.
This is fixed in sudo 1.8.22 which includes the start time of either the tty session leader or the parent process (depending on the timestamp_type setting and what is available).