Re: sudo and command line expansion

From: Kent Smith (ksmith@ipsoinc.com)
Date: 12/17/02

  • Next message: Ali-Reza Anghaie: "Re: sudo and command line expansion" 
    From: Kent Smith <ksmith@ipsoinc.com>
Date: Tue, 17 Dec 2002 18:51:55 GMT

    On 17 Dec 2002 10:23:34 -0600, gl@arlut.utexas.edu (Jay G. Scott)
    wrote:

    >
    >Greetings,
    >
    >What's to prevent a cracker from doing something like this:
    >
    >sudo /usr/bin/ls `/bin/sh /tmp/gimmerootprivs`
    >
    >I can't make this work, but I'm hardly an expert.
    >Is sudo any more or less vulnerable than regular
    >command line expansion?
    >
    >If this worked, all is lost:
    >
    >ls `/bin/sh /tmp/gimmerootprivs`
    >
    >Does adding sudo to the mix make things any better or worse?
    >(I know if the `portion` is innocent enough it will expand.
    >Ie, `ls /proc` will expand.)

    It's not as vulnerable as you think, because the command line
    expansion happens before the command is executed - meaning that it is
    done in your context. The order of execution under shell is:

    1) history substitution (C shell only)
    2) Splitting words
    3) Updating the history list (C shell only)
    4) Interpreting quotes (single and double - not back-tick)
    5) Alias substitution (C shell only)
    6) Redirection (<, >, |)
    7) Variable substitution
    8) Command substitution <-- What you are attempting
    9) Filename expansion
    10) Command execution

    So the '/bin/sh /tmp/gimmerootprivs' would be executed in your own
    context (unpriveleged) and the result list generated would be 'ls'd by
    a root process.

    Furthermore, IT WOULD BE LOGGED, so you could see if anyone it trying
    this on your machine. You *are* logging sudo aren't you?

    Security isn't worth much without reasonable monitoring.

    --Kent
    =================================
    Kent Smith
    IPSO Incorporated
    Business * Technology * Solutions
    http://www.ipsoinc.com

    Relevant Pages

    • Re: ksh silently ignores function if mistakenly not autoloaded
      ... Here's the order of execution. ... This really takes place prior to command ... Shell scripts, with all their power, have one major drawback - they ... In the Korn Shell, there are two separate syntaxes for defining ...
      (comp.unix.shell)
    • Re: Spawning process with environment variables
      ... starting the shell). ... command on the fly. ... a single-line script to a shell for execution. ... execution of shell scripts instead of writing shell script controlling ...
      (comp.unix.programmer)
    • Re: Beginners question
      ... The general term for this is "command substitution," and there ... Consider the following shell commands (shown as if executed on the ... hallo, world ... we use command substitution together with sed to ...
      (comp.unix.shell)
    • Re: Linux measuring elapsed time for a shell command
      ... Peter Grossi wrote: ... > I am trying to measure the elapsed time for execution of a shell ... > the command output to a file or pipe the time statistics will only go ...
      (comp.os.linux.misc)
    • RE: Perl code security (CGI related)
      ... Perl code security ... function allow execution of command such as "rm -rf *". ... However it does not have any effect if $code is shell command such as ...
      (SecProg)