TapRed faces at Symantec

Symantec Security Response Researcher Ron Bowes has written an article which claims that a unix based system that uses sudo can be compromised by manipulating the search path.

When you cut all the waffle about spelling mistakes, “.” in the path and scripts executed in error, what he is saying comes down to (using bourne shell) …

$ echo "echo 'exploited!'; whoami" > /tmp/mount
$ chmod +x /tmp/mount
$ PATH=/tmp:$PATH
$ export PATH
$ sudo mount /dev/cdrom
Password:
exploited!
root
$

However the writers of sudo(8) were not as dumb as all that. If it was that easy it would have been blown years ago and, in fact, would not have been worth creating at all. I don’t know if he actually tested the code that he wrote but if he did, and it worked, then he had a seriously broken sudo implementation.

The “main” protection offered by sudo, to pick up on a point made by Mr. Bowes, is that it checks that the path to the command about to be executed matches the one permitted by the sudoers(4) table. /tmp/mount does not match /sbin/mount so it will not be granted root authority—indeed it will not be executed at all by sudo, the real one will be.

5 Responses to “Red faces at Symantec”

^ Top