WingNews logo WingNews GitHub [2]
top | item 5304153

Run sudo -k, set your clock to 01.01.1970, run sudo su and boom you're root

139 points| tchap | 13 years ago |twitter.com

71 comments

order
[+] dazzawazza|13 years ago|reply
From the FreeBSD man for date

  Only the superuser may set the date, and if the system securelevel (see
  securelevel(7)) is greater than 1, the time may not be changed by more
  than 1 second.
EDIT: so you need to be root anyway or have root access to change the date.
[+] nwh|13 years ago|reply
Users on MacOS can change the time without root access.
[+] frankc|13 years ago|reply
Would this work with an LD_PRELOAD of libfaketime?
[+] jrockway|13 years ago|reply
TL;DR: users in /etc/sudoers can run code as root with sudo.
[+] hosay123|13 years ago|reply
An evil person with e.g. a stolen SSH key can escalate privileges on a machine without needing the user's password. It's not simply about sudo working as designed, it allows bypassing sudo's user authentication entirely.

I can think of a handful of corporate machines (e.g. web servers) I've had pubkey access on where sudo allowed the real admin to gain root from the same account via sudo.

[+] killahpriest|13 years ago|reply
Is 31 characters less worthy of a TL;DR?
[+] trotsky|13 years ago|reply
I see your wonky authentication bypass and raise you a local privilege escalation that is 100% reliable on every distro that's shipped a 3.3-3.8 kernel (last 18 months or so)

http://thread.gmane.org/gmane.linux.network/260061

bad times :/

[+] bpeebles|13 years ago|reply
Linux 3.3 came out 2012-03-18, that's just less than 12 months ago.
[+] mnarayan01|13 years ago|reply
From the vulnerability announcement, it seems like this only allows a user to "set" NOPASSWD for that user's sudo regardless of what's in sudoers. It also doesn't seem to allow escalation beyond what's in sudoers. Am I missing something?
[+] mnarayan01|13 years ago|reply
It looks like you can run `sudo -k` without authenticating via password, so I guess you could use this to bypass the password requirement even if the user had not previously entered their password (provided that the account is capable of changing the system time).

It's certainly worth mentioning (and patching), but I wouldn't describe it as "and boom you're root".

[+] nsmartt|13 years ago|reply
It sounds like you're overlooking the fact that software could do this without your knowledge.
[+] mpyne|13 years ago|reply
Interesting! Does sudo somehow get confused about checking for a password at all when the current date is the UNIX epoch?

I wonder, does this require the user to be listed in sudoers with any privileges or is it just straight to root?

[+] JoachimSchipper|13 years ago|reply
This gives you only the privileges that a successful "sudo" would give you, and requires a previous successful "sudo". It's a nice hack, but hardly the end of the world.
[+] bluesmoon|13 years ago|reply
the user does have to be listed in sudoers.

there's no confusion with sudo, it's running as designed. It compares the current timestamp to the user timestamp to determine whether to ask for a password or not. The first flaw is in the date command allowing unprivileged users to set the time. The second is that the -K flag to sudo makes the -k flag obsolete, so the latter should be dropped.

[+] subway|13 years ago|reply
I wonder if it would be possible to walk back the date using an ntp mitm attack.
[+] _phred|13 years ago|reply
Very, very difficult, unless the host relies on a single timesource. Best and common practice is to use 3-4 sources from different organizations in the ISC pool. It also wouldn't surprise me if most implementations of ntpd would have further safeguards about going 40 years back in time; at the very least the skew factor would make the clock change take a longgggg time to happen.

There are much easier attack vectors.

[+] devicenull|13 years ago|reply 

       -g      Normally, ntpd exits with a message to the system  log  if  the  offset  exceeds  the  panic
               threshold,  which  is  1000 s by default. This option allows the time to be set to any value
               without restriction; however, this can happen only once. If the threshold is exceeded  after
               that,  ntpd  will exit with a message to the system log. This option can be used with the -q
               and -x options. See the tinker command for other options.
[+] hcarvalhoalves|13 years ago|reply
It won't. An NTP client will refuse to update it's system clock back to Epoch. There's a threshold after which ntpdate will refuse to adjust the clock.
[+] papsosouid|13 years ago|reply
No, ntpd adjusts the skew, not the actual time. NTP is specifically designed to prevent time from going backwards because that can cause all sorts of problems with tons of software. It only slows down and speeds up the clock to keep it in sync.
[+] grimtrigger|13 years ago|reply
Can someone explain this a little more?
[+] shocks|13 years ago|reply
http://www.openwall.com/lists/oss-security/2013/02/27/22

When a user successfully authenticates with sudo, a time stamp file is updated to allow that user to continue running sudo without requiring a password for a preset time period (five minutes by default). The user's time stamp file can be reset using "sudo -k" or removed altogether via "sudo -K".

A user who has sudo access and is able to control the local clock (common in desktop environments) can run a command via sudo without authenticating as long as they have previously authenticated themselves at least once by running "sudo -k" and then setting the clock to the epoch (1970-01-01 01:00:00).

The vulnerability does not permit a user to run commands other than those allowed by the sudoers policy.

[+] JoachimSchipper|13 years ago|reply
From http://www.openwall.com/lists/oss-security/2013/02/27/22:

    By default, sudo displays a lecture when the user's time stamp
    file is not present.  In sudo 1.6, the -k option was changed
    to reset the time stamp file to the epoch rather than remove
    it to prevent the lecture from being displayed the next time
    sudo was run.  No special case was added for handling a time
    stamp file set to the epoch since the clock should never
    legitimately be set to that value.
[+] bluesmoon|13 years ago|reply
when you run sudo, it might ask for a password. if you enter the right password, it sets a user timestamp saying "this was when you last entered your password", and for some (configured) amount of time after that, you can run sudo without requiring a password.

sudo -k sets the timestamp to the epoch under the (misguided) assumption that the epoch will always be older than the configured time interval.

some distributions allow any user to change the system time without requiring root privileges. These are typically user-friendly, single-user distributions, but many people run these same distributions on multi-user server boxes as well.

so, if an attacker gains access to a user account, and assuming that user does have the right to sudo to root, the attacker can run these three commands to gain a root shell.

[+] mpyne|13 years ago|reply
sudo -k resets the "needs a password to be entered" flag by changing the last-password-entered time to appear to be the UNIX epoch (time 0).

If you then change the date to be the same day (which can be done without root permissions in modern Linux distros by using polkit or similar things), then you can use sudo to run commands as root without a password.

Presumably, sudo checks the 'last-successful-login' entry alone before deciding whether to require a password. It ends up thinking you've previously successfully logged in even if you've never actually typed in the needed password.

[+] Nux|13 years ago|reply
"Set your clock to 01.01.1970" BOOM, you can't! "date: cannot set date: Operation not permitted"
[+] moe|13 years ago|reply
It may be worth noting that local privilege escalation vulnerabilities have always been dime a dozen, this is just a more egregious one.

In your planning always keep in mind that anyone with shell-access to your server can become root in one way or another, if he really wants to. There is little "defense in depth" after that point.

[+] thoughtsimple|13 years ago|reply
After using sudo from the command line, just remember to run sudo -K (note the capital-K) and you should be protected. The -K removes the timestamp which makes it impossible to reset it to 1/1/70 with -k.
[+] hukl|13 years ago|reply
It works if you set your time through system preferences in OSX, Gnome and KDE on some distros. Changing it on those desktop guis does not require admin password. Also see:

http://www.sudo.ws/sudo/alerts/epoch_ticket.html

[+] hukl|13 years ago|reply
Also be sure to set the date including timezone offset.

On OSX run sudo -k, open date and time prefs. Set date to 1970-01-01 00:00:00 including timezone offset (+1 for CET) then run sudo su

[+] rplacd|13 years ago|reply
I'm surprised an issue that high-level's been able to lurk around for so long.
[+] teknolust|13 years ago|reply
Tried it on Debian Mint and it doesn't work. I can't set my clock without sudo.
[+] StavrosK|13 years ago|reply
It doesn't work on Ubuntu, the clock gets reset back to 2010, for some reason.
[+] tudorizer|13 years ago|reply
Automatic time sync?
[+] lurker14|13 years ago|reply
Why does "sudo -k" still exist, when it has obvious risks and is superseded by "sudo -K".

Why does 'sudo -k' not check to see if a timestamp exists, and avoid creating one if it doesn't yet exist?