Abstract
Sudo is a widely used utility program to temporarily provide the privileges of other users when executing shell commands in many UNIX and Linux systems. In conventional usage, a Sudo user who fulfills password authentication is eligible to execute a series of shell commands with system administrative privilege for a while. As Sudo enables privilege switchover, it has been the attractive target of attacks for privilege escalation in nature. Although Sudo source code have been reviewed by security researchers and patched accordingly, in this paper, we show that Sudo is still vulnerable to session hijacking attacks by which an attacker is able to achieve privilege escalation. We explain how such attacks are possible by spotlighting the inherently flawed session handling of Sudo. We also describe two attack designs – shell proxy and ticket reuse attack – by revisiting some known attack strategies. Our experimental results show that the recent versions of Sudo, in combination with the underlying shell program, are affected to the attack designs.
The opinions expressed herein reflect those of the authors, and not of the affiliated institute of ETRI.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
- 2.
Note that this is not the concept of Sudo session but that of process session.
References
Distrowatch page hit ranking. http://distrowatch.com/dwres.php?resource=popularity
Non-interactive SSH password auth. http://sourceforge.net/projects/sshpass/
Selinuxdenyptrace (fedora features). https://fedoraproject.org/wiki/Features/SELinuxDenyPtrace
Sudo main page. http://www.sudo.ws/
Sudoers manual. http://www.sudo.ws/sudoers.man.html
Yama, limux security module. http://www.kernel.org/doc/Documentation/security/Yama.txt
pipe(7) linux user’s manual (2005)
credentials(7) linux user’s manual (2008)
Jugaad: Linux Thread Injection Kit. Defcon19 (2011)
Morgan, A.G., Kukuk, T.: The linux-pam system administrator’s guide Ver. 1.1.2 (2010)
Kerrisk, M.: The Linux Programming Interface. No Strach Press, San Francisco (2010)
Kindlund, D.: Holyday watering hole attack proves difficult to detect and defend against. ISSA J. 11, 10–12 (2013)
kko: sudo option “tty_tickets" gives false sense of security due to reused pts numbers (2007). https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/87023
Kumar, V.N.: Hotpatch (2013). http://selectiveintellect.com/hotpatch.html
Malhotra, A., Cohen, I.E., Brakke, E., Goldberg, S.: Attacking the network timeprotocol. IACR Cryptology ePrint Archive 2015, p. 1020 (2015). http://dblp.uni-trier.de/db/journals/iacr/iacr2015.html#MalhotraCBG15
Miller, T.C.: Sudo in a nutshell. http://www.sudo.ws/sudo/intro.html
Miller, T.C.: Authentication bypass when clock is reset (2013). http://www.sudo.ws/sudo/alerts/epoch_ticket.html
Miller, T.C.: Potential bypass of tty_tickets constraints (2013). http://www.sudo.ws/sudo/alerts/tty_tickets.html
Miller, T.C.: Security policy bypass when env_reset is disabled (2014). http://www.sudo.ws/sudo/alerts/env_add.html
Napier, R.A.: Secure automation: achieving least privilege with SSH, Sudo, and Suid. In: Proceedings of the 18th USENIX Conference on System Administration (LISA), pp. 203–212. USENIX Association, Berkeley (2004)
O’Gorman, G., McDonald, G.: The elderwood project. Technical report, Symantec (2012)
Acknowledgments
We would like to thank Kaan Onarlioglu, Erwan Le Malécot, and the anonymous reviewers for their suggestions and comments.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Jeong, J.H., Kim, H.C., Park, I.H., Noh, B.N. (2016). Hooking Graceful Moments: A Security Analysis of Sudo Session Handling. In: Ogawa, K., Yoshioka, K. (eds) Advances in Information and Computer Security. IWSEC 2016. Lecture Notes in Computer Science(), vol 9836. Springer, Cham. https://doi.org/10.1007/978-3-319-44524-3_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-44524-3_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-44523-6
Online ISBN: 978-3-319-44524-3
eBook Packages: Computer ScienceComputer Science (R0)