{"id":225,"date":"2007-05-30T15:43:44","date_gmt":"2007-05-30T14:43:44","guid":{"rendered":"http:\/\/west-penwith.org.uk\/blog\/archives\/225"},"modified":"2014-04-17T10:59:36","modified_gmt":"2014-04-17T09:59:36","slug":"red-faces-at-symantec","status":"publish","type":"post","link":"https:\/\/west-penwith.org.uk\/blog\/archives\/225","title":{"rendered":"Red faces at Symantec"},"content":{"rendered":"<p>Symantec Security Response Researcher Ron Bowes has <a href=\"http:\/\/www.symantec.com\/enterprise\/security_response\/weblog\/2007\/05\/the_danger_of_speling_mistakes.html\">written an article<\/a> which claims that a unix based system that uses sudo can be compromised by manipulating the search path.<\/p>\n<p>When you cut all the waffle about spelling mistakes, &#8220;.&#8221; in the path and scripts executed in error, what he is saying comes down to (using bourne shell) &#8230;<\/p>\n<p><code>$ echo \"echo 'exploited!'; whoami\" &gt; \/tmp\/mount<br \/>\n$ chmod +x \/tmp\/mount<br \/>\n$ PATH=\/tmp:$PATH<br \/>\n$ export PATH<br \/>\n$ sudo mount \/dev\/cdrom<br \/>\nPassword:<br \/>\nexploited!<br \/>\nroot<br \/>\n$ <\/code><\/p>\n<p>However the writers of <code><a href=\"http:\/\/www.courtesan.com\/sudo\/sudo.html\">sudo(8)<\/a><\/code> were not as dumb as all that. If it was that easy it would have been blown years ago and, in fact, would not have been worth creating at all. I don&#8217;t know if he actually tested the code that he wrote but if he did, and it worked, then he had a seriously broken sudo implementation.<\/p>\n<p>The &#8220;main&#8221; protection offered by <code>sudo<\/code>, to pick up on a point made by Mr. Bowes, is that it checks that the path to the command about to be executed matches the one permitted by the <code>sudoers(4)<\/code> table. <code>\/tmp\/mount<\/code> does not match <code>\/sbin\/mount<\/code> so it will not be granted root authority&mdash;indeed it will not be executed at all by <code>sudo<\/code>, the real one will be.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Symantec Security Response Researcher Ron Bowes has written an article which claims that a unix based system that uses sudo can be compromised by manipulating the search path. When you cut all the waffle about spelling mistakes, &#8220;.&#8221; in the path and scripts executed in error, what he is saying comes down to (using bourne [&hellip;]<\/p>\n","protected":false},"author":239,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12,5],"tags":[],"class_list":["post-225","post","type-post","status-publish","format-standard","hentry","category-security","category-technical"],"_links":{"self":[{"href":"https:\/\/west-penwith.org.uk\/blog\/wp-json\/wp\/v2\/posts\/225","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/west-penwith.org.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/west-penwith.org.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/west-penwith.org.uk\/blog\/wp-json\/wp\/v2\/users\/239"}],"replies":[{"embeddable":true,"href":"https:\/\/west-penwith.org.uk\/blog\/wp-json\/wp\/v2\/comments?post=225"}],"version-history":[{"count":1,"href":"https:\/\/west-penwith.org.uk\/blog\/wp-json\/wp\/v2\/posts\/225\/revisions"}],"predecessor-version":[{"id":1985,"href":"https:\/\/west-penwith.org.uk\/blog\/wp-json\/wp\/v2\/posts\/225\/revisions\/1985"}],"wp:attachment":[{"href":"https:\/\/west-penwith.org.uk\/blog\/wp-json\/wp\/v2\/media?parent=225"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/west-penwith.org.uk\/blog\/wp-json\/wp\/v2\/categories?post=225"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/west-penwith.org.uk\/blog\/wp-json\/wp\/v2\/tags?post=225"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}