Vigil@nce - Sudo: authenticating by changing time
March 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker, who previously used Sudo, can change the system
time, in order to use Sudo without authenticating.
Impacted products: Debian, Slackware, Unix (platform)
Severity: 2/4
Creation date: 27/02/2013
DESCRIPTION OF THE VULNERABILITY
When a user authenticates on Sudo, a file is created in the
/var/db/sudo/user directory. The Sudo program then looks at the
file timestamp to check if the last user authentication is recent
(less than 5 minutes), in order to not request a new
authentication.
The "sudo -k" command is used to remove this memorized state. In
order to do so, the file timestamp is changed to 01/01/1970. So,
as there is more than 5 minutes between the file timestamp and the
current time, the user has to authenticate again.
However, on some systems, a local user is allowed to alter the
system time. He can then reset it to 01/01/1970. As, there is less
than 5 minutes between the file timestamp and the system time, the
user can thus run Sudo without entering his password.
A local attacker, who previously used Sudo, can therefore change
the system time, in order to use Sudo without authenticating.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Sudo-authenticating-by-changing-time-12471