Re: Card Reader

Bryan Olson <fakeaddress@xxxxxxxxxxx> wrote:
>Floyd Davidson wrote:
>> Bryan Olson wrote:
>>>You missed it. The path is mucked so "sudo" on the command
>>>line runs my script, and not /usr/bin/sudo. Next time the

That is a totally clueless statement. Running your script
instead of sudo is worthless because your script *can't do
anything*.

>>>user tries to run sudo, he actually runs my script, which
>>>steals the root password or runs /usr/bin/sudo but with a
>>>different argument.

And of course it doesn't ask for a root password, or even one
that allows your script to be run as root.

>> That's just more bull*** Bryan, and you might as well leave
>> it at the door.
>
>Get a clue already.

Well lets just see who actually knows something here Bryan, lets
try it and see!

>> You *can't* just change somebody's "path" to get your version of
>> sudo to run. You first have to crack their account.
>
>I thought I said that...oh look -- I did:
>
> I use some garden-variety exploit to get my code running
> as the user; muck with his path so "sudo" runs my script,
> which gives me root.

So you claim, but that doesn't make it happen. You first have
to break into an account, and then you sure enough can make
an alias or change the PATH variable to cause your version of
sudo to run... but until you break into the root account you
can't get your sudo script to *do* anything that the regular
user couldn't do anyway. Specifically, your sudo trojan is
not going to serve up any root password, nor any password that
allows you to run your script as root.

....
>> You have to crack the user's account.
>
>Just like with Windows NT; yes, as I said.

Except with WinNT, that's *all* you need to do.

>> You probably can't, but
>> even if you do... you then can't *do* anything except destroy
>> that one user. Claiming the can become root just because you've
>> cracked a user's account is more of your ignorance, and
>> indicates how little you actually understand about Unix systems
>> administration anb/or security either one.
>
>It puts the lie to your claim:

Actually, that verifies it, for anyone who understands what happens.

> but note that the
> theory requires that a user not just be ignorant, but to
> also intentionally make an effort to assist.

By running your script as root, installing it, or something,
because clearly *you* aren't going to be able to do what you
claimed you could... because you aren't root and you can't get
to be root.

>>>The sudo command (the real one) will prompt for the root password
>>
>> Wrong. I've highlighted a few choice words in the following
>> quoted text from the sudo man page:
>>
>> DESCRIPTION
>> sudo allows a *permitted* user to execute a command as the
>> superuser or another user, *as* *specified* in the sudoers
>> file. ... sudo requires that users authenticate them-
>> selves with a password by default (NOTE: in the default
>> configuration this is the user's password, *not* *the* *root*
>> *password*).
>
>O.K., "the password needed to get root". Makes no difference.

Wrong, there is no such password given up. It asks for that
user's password, and that's it.

You can get (at most) the password to the account that you claim
you've already cracked, and that's it! You have a password that
will allow you to do only whatever that user is allowed to do,
which does *not* include the ability to reconfigure sudo or to
run the script you claim you can run.

In other words, if you already have access to that account, you
can break into *that account*! Wow, what a trick!

>>>as usual, and on success will run .evilscript as root. The script
>>>will get "apt-get update" on its command line, which it can execute
>>>so that the user sees correct behavior. Obviously it can also do
>>>anything else it wants, since it has root.
>>
>> Obviously that is false, since sudo does not ask for the root
>> password
>
>"Has root" means root privilege; a real sysadmin would know that.
>Once the attacker has his own code running as root, he can
>change anything he wants.

Except you *don't* have your code running as root, and you can't
get your code to run as root without the root password.

Your ignorance of systems administration is astounding.

>> and you won't be able to get root privileges by doing
>> that, as instead of getting root you would immediately tip off
>> the user that something is amiss by asking for the root password
>> in your silly pseudo trojan.
>
>Wrong. With the alias method, sudo (the real one) gives its usual
>prompt.

If the real sudo runs, *you* won't get the root password. Simple
as that. It won't *ever* ask for it. And it won't *ever* allow
your script to run as root either.

> Take your own advice and try it. Writing the .evilscript
>is not too hard, but even the following is likely to clue you in:
>
> alias sudo='sudo whoami; echo evil_code_here; whoami;'
> sudo apt-get update

Giggle snort. What is it you think that does?

It certainly doesn't give anyone root to *anything* other than
"apt-get" *if* (and only if) the system has been configured to
give that user access to "/bin/apt-get update".

Your "evil_code_here" runs as the regular user and can do nothing
special. Of course your "sudo whoami" fails just for starters,
with error messages warning the user.

>See? The commands included by the alias really do run as root. It

Only in your imagination!

>still even runs "apt-get update" (as root). Yup, it works. No, it
>doesn't require the intentional assistance you claimed.

It doesn't work at all. Stop being silly. The first thing that
happens is your "sudo whoami" is executed, and *fails* because no
systems admin would configure a user to run whoami as root.


Lets see how far we get... having cracked users "floyd" and
"bryan" on machine "idiot".

First we try as floyd to run commands from your alias, and get

>sudo whoami

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

Password: floyds_password
floyd is not in the sudoers file. This incident will be reported.

Whoops, that user isn't even authorized to run sudo! So much
for your silly program!

But wait, lets try something else? Get into the "bryan" account,
and check to see if he can do anything!

>sudo whoami
Password: bryans_password
Sorry, user bryan is not allowed to execute '/usr/bin/whoami' as root on idiot.

Hmmm... that is different! So just *exactly* what can you do on this idiot?

>sudo -l
User bryan may run the following commands on this host:
(root) /bin/ls -x

Okay, being an idiot user, bryan can run ls! And of course you probably
think that means you can put a trojan into /tmp and get somewhere...
Wrong again.

>sudo ls
Sorry, user bryan is not allowed to execute '/usr/bin/ls' as root on idiot.

Okay...

>sudo /bin/ls
Sorry, user bryan is not allowed to execute '/bin/ls' as root on idiot.

You see, it means exactly what is says:

>sudo /bin/ls -x
[prints a listing of the current directory]

Now, fool, tell me again how you are going to get your silly
script to run when you can't get access to *anything* other than
the idiot account you already have access to.

>Of course the .evilscript wouldn't print like whoami and echo do.
>(And of course, a real attacker wouldn't call it "~/.evilscript".)
>
>> Typically the sudo user might not even know the root password!
>
>So I should have written "a password to run as root" rather than
>the "the root password". Of course that make no difference, and
>other than that I was entirely right and you were wrong.

You don't have a clue how any of this works, do you?

Your scenerio is hilarious!

--
Floyd L. Davidson http://www.apaflo.com/floyd_davidson
Ukpeagvik (Barrow, Alaska) floyd@xxxxxxxxxx
.