touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #77909
[Bug 1219337] Re: Users can change the clock without authenticating, allowing them to locally exploit sudo.
This bug was fixed in the package sudo - 1.8.12-1ubuntu1
---------------
sudo (1.8.12-1ubuntu1) wily; urgency=medium
* Merge from Debian unstable. (LP: #1451274, LP: #1219337)
Remaining changes:
- debian/rules:
+ compile with --without-lecture --with-tty-tickets --enable-admin-flag
+ install man/man8/sudo_root.8 in both flavours
+ install apport hooks
- debian/sudoers:
+ also grant admin group sudo access
- debian/source_sudo.py, debian/sudo-ldap.dirs, debian/sudo.dirs:
+ add usr/share/apport/package-hooks
- debian/sudo.pam:
+ Use pam_env to read /etc/environment and /etc/default/locale
environment files. Reading ~/.pam_environment is not permitted due to
security reasons.
- debian/control:
+ dh-autoreconf dependency fixes missing-build-dependency-for-dh_-command
- Remaining patches:
+ keep_home_by_default.patch: Keep HOME in the default environment
+ debian/patches/also_check_sudo_group.diff: also check the sudo group
in plugins/sudoers/sudoers.c to create the admin flag file. Leave the
admin group check for backwards compatibility.
* Dropped patches no longer needed:
+ add_probe_interfaces_setting.diff
+ actually-use-buildflags.diff
+ CVE-2014-9680.patch
sudo (1.8.12-1) unstable; urgency=low
* new upstream version, closes: #772707, #773383
* patch from Christian Kastner to fix sudoers handling error when moving
between sudo and sudo-ldap packages, closes: #776137
sudo (1.8.11p2-1) unstable; urgency=low
* new upstream version
sudo (1.8.11p1-2) unstable; urgency=low
* patch from Jakub Wilk to fix 'ignoring time stamp from the future'
messages, closes: #762465
* upstream patch forwarded by Laurent Bigonville that fixes problem with
Linux kernel auditing code, closes: #764817
sudo (1.8.11p1-1) unstable; urgency=low
* new upstream version, closes: #764286
* fix typo in German translation, closes: #761601
sudo (1.8.10p3-1) unstable; urgency=low
* new upstream release
* add hardening=+all to match login and su
* updated VCS URLs and crypto verified watch file, closes: #747473
* harmonize configure options for LDAP version to match non-LDAP version,
in particular stop using --with-secure-path and add configure_args
* enable audit support on Linux systems, closes: #745779
* follow upstream change from --with-timedir to --with-rundir
-- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx> Wed, 13 May 2015
15:43:49 -0400
** Changed in: sudo (Ubuntu)
Status: Triaged => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-9680
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1219337
Title:
Users can change the clock without authenticating, allowing them to
locally exploit sudo.
Status in GNOME Control Center:
Unknown
Status in sudo:
Unknown
Status in Unity:
Invalid
Status in policykit-desktop-privileges package in Ubuntu:
Opinion
Status in sudo package in Ubuntu:
Fix Released
Status in policykit-desktop-privileges source package in Precise:
Opinion
Status in sudo source package in Precise:
Triaged
Status in policykit-desktop-privileges source package in Trusty:
Opinion
Status in sudo source package in Trusty:
Triaged
Status in policykit-desktop-privileges source package in Utopic:
Opinion
Status in sudo source package in Utopic:
Triaged
Status in policykit-desktop-privileges source package in Vivid:
Opinion
Status in sudo source package in Vivid:
Triaged
Bug description:
Under unity and cinnamon, it is possible for a user to turn off
network-syncronized time and then change the time on the system. It is
also possible to "cat /var/log/auth.log" and find the last time a user
authenticated with sudo, along with which pty they used. If a user had
used a terminal and successfully authenticated with sudo anytime in
the past, and left the sudo file in "/var/lib/sudo/<username>/", a
malicious user could walk up to an unlocked, logged in machine and
gain sudo without knowing the password for the computer.
To do this, a user would only need to launch a few terminals, figure
out which pty they were on via "tty", find the an instance in
/var/log/auth.log where sudo was used on that PTY, and set the clock
to that time. Once this is done, they can run (for example) "sudo -s"
and have a full access terminal.
1) This has been observed on Ubuntu 13.04, and may work on other versions.
2) This may have an effect on various window managers, but I confirmed it on Unity and Cinnamon
3) I expected to have to authenticate when I changed the time and date, as I do on Gnome and KDE. I also expected to be denied permission to auth.log
4) I was able to change the system time to whatever I wanted, and view auth.log. This was sufficient to access sudo without having to type my password.
Note: This bug also affects any version of OS X, though the mechanism
is different. Some versions don't require you to authenticate to
change the time through the GUI, but some do. No version I've seen
requires authentication to use the "systemsetup" command, which can
alter the time from the command line. This may be an overall bug in
sudo. Why can I bypass security by changing the time?!
To manage notifications about this bug go to:
https://bugs.launchpad.net/gnome-control-center/+bug/1219337/+subscriptions