Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Security

IWSEC 2016: Advances in Information and Computer Security pp 41–60Cite as

Hooking Graceful Moments: A Security Analysis of Sudo Session Handling

  • Conference paper
  • First Online:

  • 1041 Accesses

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9836))

Abstract

Sudo is a widely used utility program to temporarily provide the privileges of other users when executing shell commands in many UNIX and Linux systems. In conventional usage, a Sudo user who fulfills password authentication is eligible to execute a series of shell commands with system administrative privilege for a while. As Sudo enables privilege switchover, it has been the attractive target of attacks for privilege escalation in nature. Although Sudo source code have been reviewed by security researchers and patched accordingly, in this paper, we show that Sudo is still vulnerable to session hijacking attacks by which an attacker is able to achieve privilege escalation. We explain how such attacks are possible by spotlighting the inherently flawed session handling of Sudo. We also describe two attack designs – shell proxy and ticket reuse attack – by revisiting some known attack strategies. Our experimental results show that the recent versions of Sudo, in combination with the underlying shell program, are affected to the attack designs.

The opinions expressed herein reflect those of the authors, and not of the affiliated institute of ETRI.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    https://github.com/binoopang/sudo.

  2. 2.

    Note that this is not the concept of Sudo session but that of process session.

References

  1. Distrowatch page hit ranking. http://distrowatch.com/dwres.php?resource=popularity

  2. Non-interactive SSH password auth. http://sourceforge.net/projects/sshpass/

  3. Selinuxdenyptrace (fedora features). https://fedoraproject.org/wiki/Features/SELinuxDenyPtrace

  4. Sudo main page. http://www.sudo.ws/

  5. Sudoers manual. http://www.sudo.ws/sudoers.man.html

  6. Yama, limux security module. http://www.kernel.org/doc/Documentation/security/Yama.txt

  7. pipe(7) linux user’s manual (2005)

    Google Scholar 

  8. credentials(7) linux user’s manual (2008)

    Google Scholar 

  9. Jugaad: Linux Thread Injection Kit. Defcon19 (2011)

    Google Scholar 

  10. Morgan, A.G., Kukuk, T.: The linux-pam system administrator’s guide Ver. 1.1.2 (2010)

    Google Scholar 

  11. Kerrisk, M.: The Linux Programming Interface. No Strach Press, San Francisco (2010)

    Google Scholar 

  12. Kindlund, D.: Holyday watering hole attack proves difficult to detect and defend against. ISSA J. 11, 10–12 (2013)

    Google Scholar 

  13. kko: sudo option “tty_tickets" gives false sense of security due to reused pts numbers (2007). https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/87023

  14. Kumar, V.N.: Hotpatch (2013). http://selectiveintellect.com/hotpatch.html

  15. Malhotra, A., Cohen, I.E., Brakke, E., Goldberg, S.: Attacking the network timeprotocol. IACR Cryptology ePrint Archive 2015, p. 1020 (2015). http://dblp.uni-trier.de/db/journals/iacr/iacr2015.html#MalhotraCBG15

  16. Miller, T.C.: Sudo in a nutshell. http://www.sudo.ws/sudo/intro.html

  17. Miller, T.C.: Authentication bypass when clock is reset (2013). http://www.sudo.ws/sudo/alerts/epoch_ticket.html

  18. Miller, T.C.: Potential bypass of tty_tickets constraints (2013). http://www.sudo.ws/sudo/alerts/tty_tickets.html

  19. Miller, T.C.: Security policy bypass when env_reset is disabled (2014). http://www.sudo.ws/sudo/alerts/env_add.html

  20. Napier, R.A.: Secure automation: achieving least privilege with SSH, Sudo, and Suid. In: Proceedings of the 18th USENIX Conference on System Administration (LISA), pp. 203–212. USENIX Association, Berkeley (2004)

    Google Scholar 

  21. O’Gorman, G., McDonald, G.: The elderwood project. Technical report, Symantec (2012)

    Google Scholar 

Download references

Acknowledgments

We would like to thank Kaan Onarlioglu, Erwan Le Malécot, and the anonymous reviewers for their suggestions and comments.

Author information

Authors and Affiliations

  1. The Affiliated Institute of ETRI, P.O. Box 1, Yuseong, Daejeon, 34188, Republic of Korea

    Ji Hoon Jeong, Hyung Chan Kim & Il Hwan Park

  2. Chonnam National University, Yongbong-ro 77, Gwangju, 61186, Republic of Korea

    Ji Hoon Jeong & Bong Nam Noh

Authors
  1. Ji Hoon Jeong
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Hyung Chan Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Il Hwan Park
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Bong Nam Noh
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Hyung Chan Kim .

Editor information

Editors and Affiliations

  1. Japan Broadcasting Corporation, Tokyo, Japan

    Kazuto Ogawa

  2. Yokohama National University, Yokohama, Japan

    Katsunari Yoshioka

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Jeong, J.H., Kim, H.C., Park, I.H., Noh, B.N. (2016). Hooking Graceful Moments: A Security Analysis of Sudo Session Handling. In: Ogawa, K., Yoshioka, K. (eds) Advances in Information and Computer Security. IWSEC 2016. Lecture Notes in Computer Science(), vol 9836. Springer, Cham. https://doi.org/10.1007/978-3-319-44524-3_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-44524-3_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-44523-6

  • Online ISBN: 978-3-319-44524-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation