[ale] security hole?

Tim Watts timtw at earthlink.net
Thu Jul 30 00:46:25 EDT 2009 

Hi,

What's wrong with this picture?

-------------------------------------------------
timtw at dellberry:~$ sudo -K                                                                              

timtw at dellberry:~$ echo | sudo -S mount /dev/sda5 /mnt >/dev/null

timtw at dellberry:~$ echo $?                                       
0                                                                

timtw at dellberry:~$ mount                                         
<...snip...>
/dev/sda5 on /mnt type ext3 (rw)

timtw at dellberry:~$ sudo umount /mnt
[sudo] password for timtw:{i hit ^C here}

timtw at dellberry:~$ echo | sudo -S umount /mnt >/dev/null

timtw at dellberry:~$ echo $?
0

timtw at dellberry:~$ mount
/dev/sda5 on / type ext3 (rw,relatime,errors=remount-ro)
tmpfs on /lib/init/rw type tmpfs (rw,nosuid,mode=0755)
/proc on /proc type proc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
varrun on /var/run type tmpfs (rw,nosuid,mode=0755)
varlock on /var/lock type tmpfs (rw,noexec,nosuid,nodev,mode=1777)
udev on /dev type tmpfs (rw,mode=0755)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=620)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
lrm on /lib/modules/2.6.27-14-generic/volatile type tmpfs (rw,mode=755)
securityfs on /sys/kernel/security type securityfs (rw)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc 
(rw,noexec,nosuid,nodev)
mtpfs on /media/mtp type fuse.mtpfs (rw,nosuid,nodev,allow_other)

timtw at dellberry:~$
-------------------------------------------------

Here's the key point: I was able to perform privileged actions while my sudo 
"token" was expired WITHOUT entering a password. Now it's true that a person 
without sudo privileges couldn't do this but it still seems like a hole to me. 
The odd thing is that without the >/dev/null (or any redirect), the commands 
fail as expected. This does NOT happen on my machine with kernel version 
2.6.27-7-generic.

Can anyone reproduce this?

Here's the relevant version info:
-------------------------------------------------
timtw at dellberry:~$ sudo -V
Sudo version 1.6.9p17

timtw at dellberry:~$ bash --version
GNU bash, version 3.2.39(1)-release (i486-pc-linux-gnu)
Copyright (C) 2007 Free Software Foundation, Inc.

timtw at dellberry:~$ mount --version
mount from util-linux-ng 2.14 (with libvolume_id and selinux support)

timtw at dellberry:~$ uname -a
Linux dellberry 2.6.27-14-generic #1 SMP Tue Jun 30 19:57:39 UTC 2009 i686 
GNU/Linux

timtw at dellberry:~$ cat /etc/*rel*
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=8.10
DISTRIB_CODENAME=intrepid
DISTRIB_DESCRIPTION="Ubuntu 8.10"

timtw at dellberry:~$
-------------------------------------------------


-- 
A banker is a fellow who lends you his umbrella when the sun is shining, but 
wants it back the minute it begins to rain.
 -- Mark Twain

More information about the Ale mailing list