ubuntu-translations-coordinators team mailing list archive

Thread
Date

[Bug 1219337] [NEW] Users can change the clock without authenticating, allowing them to locally exploit sudo.

To: ubuntu-translations-coordinators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1219337@xxxxxxxxxxxxxxxxxx>
Date: Tue, 30 Aug 2016 20:03:35 -0000
Reply-to: Bug 1219337 <1219337@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a security vulnerability ***

You have been subscribed to a public security bug:

Under unity and cinnamon, it is possible for a user to turn off network-
syncronized time and then change the time on the system. It is also
possible to "cat /var/log/auth.log" and find the last time a user
authenticated with sudo, along with which pty they used. If a user had
used a terminal and successfully authenticated with sudo anytime in the
past, and left the sudo file in "/var/lib/sudo/<username>/", a malicious
user could walk up to an unlocked, logged in machine and gain sudo
without knowing the password for the computer.

To do this, a user would only need to launch a few terminals, figure out
which pty they were on via "tty", find the an instance in
/var/log/auth.log where sudo was used on that PTY, and set the clock to
that time. Once this is done, they can run (for example) "sudo -s" and
have a full access terminal.

1) This has been observed on Ubuntu 13.04, and may work on other versions.
2) This may have an effect on various window managers, but I confirmed it on Unity and Cinnamon
3) I expected to have to authenticate when I changed the time and date, as I do on Gnome and KDE. I also expected to be denied permission to auth.log
4) I was able to change the system time to whatever I wanted, and view auth.log. This was sufficient to access sudo without having to type my password.

Note: This bug also affects any version of OS X, though the mechanism is
different. Some versions don't require you to authenticate to change the
time through the GUI, but some do. No version I've seen requires
authentication to use the "systemsetup" command, which can alter the
time from the command line. This may be an overall bug in sudo. Why can
I bypass security by changing the time?!

** Affects: gnome-control-center
     Importance: Unknown
         Status: Unknown

** Affects: sudo
     Importance: Unknown
         Status: Unknown

** Affects: ubuntu-translations
     Importance: Undecided
         Status: Invalid

** Affects: policykit-desktop-privileges (Ubuntu)
     Importance: Undecided
         Status: Opinion

** Affects: sudo (Ubuntu)
     Importance: Low
         Status: Fix Released

** Affects: policykit-desktop-privileges (Ubuntu Precise)
     Importance: Undecided
         Status: Opinion

** Affects: sudo (Ubuntu Precise)
     Importance: Low
         Status: Triaged

** Affects: policykit-desktop-privileges (Ubuntu Trusty)
     Importance: Undecided
         Status: Opinion

** Affects: sudo (Ubuntu Trusty)
     Importance: Low
         Status: Triaged

** Affects: policykit-desktop-privileges (Ubuntu Utopic)
     Importance: Undecided
         Status: Opinion

** Affects: sudo (Ubuntu Utopic)
     Importance: Low
         Status: Won't Fix

** Affects: policykit-desktop-privileges (Ubuntu Vivid)
     Importance: Undecided
         Status: Opinion

** Affects: sudo (Ubuntu Vivid)
     Importance: Low
         Status: Won't Fix

-- 
Users can change the clock without authenticating, allowing them to locally exploit sudo.
https://bugs.launchpad.net/bugs/1219337
You received this bug notification because you are a member of Ubuntu Translations Coordinators, which is subscribed to Ubuntu Translations.