Vigil@nce - Sudo: authenticating via ttyname
March 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker, who used Sudo during the last 5 minutes, can use
Sudo on another terminal without authenticating, even if
"tty_tickets" is configured.
Impacted products: Debian, Slackware, Unix (platform)
Severity: 2/4
Creation date: 27/02/2013
DESCRIPTION OF THE VULNERABILITY
When a user authenticates on Sudo, a file is created in the
/var/db/sudo/user directory. The Sudo program then looks at the
file timestamp to check whether the last user authentication is
recent (less than 5 minutes), in order to not request a new
authentication.
When the "tty_tickets" configuration option is set, the
/var/db/sudo/user directory contains one file for each
terminal/tty. So, the password has to be entered in each terminal.
However, an attacker, who is located on the terminal B, can close
the stdin, stdout and stderr. He can then open the device of the
terminal A, and connect them to the file descriptors 0 to 2. This
operation deceives the ttyname() function, which indicates that
the attacker is located on terminal A.
A local attacker, who used Sudo during the last 5 minutes, can
therefore use Sudo on another terminal without authenticating,
even if "tty_tickets" is configured.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Sudo-authenticating-via-ttyname-12472