Bugtraq mailing list archives
Re: Sudo: local root compromise with krb5 enabled
From: Thor Lancelot Simon <tls () rek tjls com>
Date: Wed, 6 Jun 2007 23:19:01 -0400
On Wed, Jun 06, 2007 at 09:57:25PM -0400, Thor Lancelot Simon wrote:
But woe betide any system administrator who accidentally puts a Kerberos-enabled sudo on a host that's configured as a Kerberos client only!
Actually, if you link sudo to MIT krb5 (rather than Heimdal) it's worse than that, I think: users can override the system keytab setting and cause sudo to *think* there's no keytab when there actually is one, and then have it ask their fake Kerberos servers, and make them root. This is because of a typical obscurity in the MIT Kerberos library combined with some rather old code in sudo. MIT libkrb does this, in krb5_kt_default_name: } else if ((context->profile_secure == FALSE) && (cp = getenv("KRB5_KTNAME"))) { if ((size_t) namesize < (strlen(cp)+1)) return KRB5_CONFIG_NOTENUFSPACE; strcpy(name, cp); So, if profile_secure isn't set in the context, users can simply set KRB5_KTNAME to some nonexistent file, I think, and away they go (as root). Heimdal ignores the environment variable if issetuid() though I'd be happier if it refused to respect it entirely. The MIT library provides several different flavors of krb5_init_context and only one of them (krb5_init_secure_context()) actually sets the profile_secure flag. But sudo uses the standard krb5_init_context() which does *not* set profile_secure and also doesn't call the obsolete (and, I think, never documented) old krb5_secure_config_files() function, which is the only other thing in the MIT library that would set profile_secure and avoid this root compromise. So the hole is worse than I thought. It is probably simplest and best to remove the current krb5 password validating code from sudo, and use Heimdal's krb5_verify_user() instead, and make sudo thus no longer work with MIT krb5, which is a terrible security accident just waiting to happen. Thor
Current thread:
- Sudo: local root compromise with krb5 enabled Thor Lancelot Simon (Jun 07)
- Re: Sudo: local root compromise with krb5 enabled Thor Lancelot Simon (Jun 07)
- MIT krb5: makes sudo authentication issue MUCH worse. Thor Lancelot Simon (Jun 07)
- Re: Sudo: local root compromise with krb5 enabled James Downs (Jun 07)
- Re: Sudo: local root compromise with krb5 enabled Mark Senior (Jun 07)
- Re: Sudo: local root compromise with krb5 enabled Todd C. Miller (Jun 07)
- Re: Sudo: local root compromise with krb5 enabled Mark Senior (Jun 07)
- <Possible follow-ups>
- Re: Sudo: local root compromise with krb5 enabled Ken Raeburn (Jun 12)
- Re: Sudo: local root compromise with krb5 enabled Kyle Wheeler (Jun 14)
- Re: Sudo: local root compromise with krb5 enabled Ken Raeburn (Jun 15)
- Re: Sudo: local root compromise with krb5 enabled Kyle Wheeler (Jun 14)
- Re: Sudo: local root compromise with krb5 enabled Thor Lancelot Simon (Jun 07)