Debian Bug report logs - #701839
sudo: CVE-2013-1776 potential bypass of sudo tty_tickets constraints

version graph

Package: sudo; Maintainer for sudo is Bdale Garbee <bdale@gag.com>; Source for sudo is src:sudo.

Reported by: Nico Golde <nion@debian.org>

Date: Wed, 27 Feb 2013 20:15:02 UTC

Severity: important

Tags: security

Fixed in versions sudo/1.8.5p2-1+nmu1, sudo/1.7.4p4-2.squeeze.4

Done: Michael Gilbert <mgilbert@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#701839; Package sudo. (Wed, 27 Feb 2013 20:15:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Bdale Garbee <bdale@gag.com>. (Wed, 27 Feb 2013 20:15:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: sudo: CVE-2013-1776 potential bypass of sudo tty_tickets constraints
Date: Wed, 27 Feb 2013 21:11:49 +0100
[Message part 1 (text/plain, inline)]
Package: sudo
Severity: important
Tags: security

Hi,
the following vulnerability was published for sudo.

CVE-2013-1776[0]:
(from the upstream report)

Sudo 1.8.6p7 and 1.7.10p6 are now available which include a fix for
the following bug:

Potential bypass of sudo tty_tickets constraints

Summary:
    When a user successfully authenticates with sudo, a time stamp
    file is updated to allow that user to continue running sudo
    without requiring a password for a preset time period (five
    minutes by default).

    This time stamp file can either be common to all of a user's
    terminals, or it can be specific to the particular terminal the
    user authenticated themselves on.  The terminal-specific time
    stamp file behavior can be controlled using the "tty_tickets"
    option in the sudoers file.  This option has been enabled by
    default since sudo 1.7.4.  Prior to sudo 1.7.4, the default was
    to use a single time stamp for all the user's sessions.

    A vulnerability exists because the user can control which
    terminal the standard input, output and error file descriptors
    (0-2) refer to.  A malicious user could use this to run commands
    via sudo without authenticating, so long as there exists a
    terminal the user has access to where a sudo command was
    successfully run by that same user within the password timeout
    period (usually five minutes).

    The vulnerability does not permit a user to run commands other
    than those allowed by the sudoers policy.

Sudo versions affected:
    Sudo 1.3.5 through 1.7.10p6 and sudo 1.8.0 through 1.8.6p7 when
    the "tty_tickets" option is enabled.  This option is enabled
    by default in sudo 1.7.4 and above.

Details:
    The vulnerability can be triggered when the standard input,
    output and error file descriptors (0-2) of a process are closed
    and a different terminal device is opened and connected to those
    descriptors.  When sudo tries to determine the terminal device
    via the ttyname() function, it will get the name of the other
    terminal instead.  The core problem is that while ttyname() can
    be used to determine the name of the terminal device connected
    to a specific file descriptor, there is no portable way to
    determine the name of the terminal associated with the session
    the process belongs to.  However, on many systems it is possible
    to determine this by using the /proc file system or the sysctl()
    function.

    Most operating systems that have the /proc file system provide
    a way to determine the controlling terminal device number for
    a process; this information is used by the ps command for
    example.  On Linux, this is the tty_nr field in /proc/self/stat
    (the seventh entry).  On systems with an SVR4-style /proc, this
    is the pr_ttydev member of struct psinfo, which comes from
    /proc/self/psinfo.  Most BSD systems that support the sysctl()
    function also provide a way to get the terminal device number
    via the KERN_PROC_PID sysctl.  By mapping this device number
    to a file name, it is possible to get the name of the terminal
    file without resorting to ttyname().  Sudo began using this
    method to determine the process's terminal starting with version
    1.8.5 and 1.7.10.

    However, sudo still used the ttyname() function as a fall back
    when no controlling terminal was found via /proc or sysctl().
    This allowed a malicious process to cause sudo to use ttyname()
    simply by creating a new session without a controlling tty
    before executing sudo.  In sudo 1.8.6p6 and 1.7.10p5, this fall
    back behavior was removed.  This fixed the vulnerability for
    systems where the process's controlling terminal could be
    determined via /proc or sysctl().

    Sudo 1.8.6p7 and 1.7.10p6 contain an additional fix for systems
    without /proc or sysctl() that stores the POSIX session ID in
    the time stamp file itself.  The controlling terminal is specific
    to the POSIX session it is associated with.  It is not possible
    for two processes in different sessions to have the same
    controlling terminal.  Sudo will now compare the current session
    ID with the one in the time stamp file and ignore the time stamp
    file if the session ID does not match.  This has the additional
    benefit of making it much less likely that a user will be able
    to reuse the time stamp file after logging out and back in again
    on the same terminal.

Impact:
    A (potentially malicious) program run by a user with sudo access
    may be able to bypass the "tty_ticket" constraints.  In order
    for this to succeed there must exist on the machine a terminal
    device that the user has previously authenticated themselves
    on via sudo within the last time stamp timeout (5 minutes by
    default).

    This program may use sudo's -n flag to "probe" the terminals
    in question to see if there is an active time stamp file for
    the user.  Prior to sudo 1.8.6 and 1.7.10, if a password was
    required when the -n flag was specified the failure would not
    be logged, allowing the program to perform such probes without
    being detected.  The successful command (if any), would still
    be logged.

Fix:
    The bug is fixed in sudo 1.8.6p7 and 1.7.10p6.

Credit:
    Ryan Castellucci brought the initial ttyname() issue to my
    attention.  Subsequently, James Ogden discovered that using
    setsid() to create a new session would cause sudo to fall back
    to using ttyname().

    Other shortcomings in sudo's "tty_tickets" functionality have
    been known and discussed openly for some time.  There is a long
    discussion about them at:
	https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/87023



If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1776
    http://security-tracker.debian.org/tracker/CVE-2013-1776
Please adjust the affected versions in the BTS as needed.


-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Michael Gilbert <mgilbert@debian.org>:
You have taken responsibility. (Fri, 01 Mar 2013 05:36:05 GMT) Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. (Fri, 01 Mar 2013 05:36:05 GMT) Full text and rfc822 format available.

Message #10 received at 701839-close@bugs.debian.org (full text, mbox):

From: Michael Gilbert <mgilbert@debian.org>
To: 701839-close@bugs.debian.org
Subject: Bug#701839: fixed in sudo 1.8.5p2-1+nmu1
Date: Fri, 01 Mar 2013 05:32:53 +0000
Source: sudo
Source-Version: 1.8.5p2-1+nmu1

We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 701839@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Gilbert <mgilbert@debian.org> (supplier of updated sudo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 01 Mar 2013 03:26:37 +0000
Source: sudo
Binary: sudo sudo-ldap
Architecture: source amd64
Version: 1.8.5p2-1+nmu1
Distribution: unstable
Urgency: high
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Michael Gilbert <mgilbert@debian.org>
Description: 
 sudo       - Provide limited super user privileges to specific users
 sudo-ldap  - Provide limited super user privileges to specific users
Closes: 701838 701839
Changes: 
 sudo (1.8.5p2-1+nmu1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix cve-2013-1775: authentication bypass when the clock is set to the UNIX
     epoch [00:00:00 UTC on 1 January 1970] (closes: #701838).
   * Fix cve-2013-1776: session id hijacking from another authorized tty
     (closes: #701839).
Checksums-Sha1: 
 05a116304df73e20148759ebfecee6f9dfe96725 2589 sudo_1.8.5p2-1+nmu1.dsc
 2052bd6151dc62d71715762e6a192df404a9235f 26822 sudo_1.8.5p2-1+nmu1.debian.tar.gz
 b47bb046d0fa4ce2c1743c1e45e9d42a6c5251c4 842220 sudo_1.8.5p2-1+nmu1_amd64.deb
 cd0baf39ba2dc417d3dd4bc97e95e4732d176607 863082 sudo-ldap_1.8.5p2-1+nmu1_amd64.deb
Checksums-Sha256: 
 aefcde86fe6b74b5ce1affd52b057dc68c969ced29f1292ac3a937763d2380d8 2589 sudo_1.8.5p2-1+nmu1.dsc
 15b44cd8f4542352b20629d8fe786d14d47e3b35fd86a05648658ec390423835 26822 sudo_1.8.5p2-1+nmu1.debian.tar.gz
 557c3147b18d5f09bdb60a83ad6ce30a5243d903fbad714beca233cb856cb8b2 842220 sudo_1.8.5p2-1+nmu1_amd64.deb
 545bd3a0d15ceaa9d9c71edd61f196dee0262ea762750e61ea28df32fac40259 863082 sudo-ldap_1.8.5p2-1+nmu1_amd64.deb
Files: 
 0d259053017092470a1d804503ee3a42 2589 admin optional sudo_1.8.5p2-1+nmu1.dsc
 149d2138846fc7121cfcd3ff4df7fea9 26822 admin optional sudo_1.8.5p2-1+nmu1.debian.tar.gz
 3df5acae3e544aba6916085f6a169181 842220 admin optional sudo_1.8.5p2-1+nmu1_amd64.deb
 f3d220876a4edde1a03ab41d609bfda4 863082 admin optional sudo-ldap_1.8.5p2-1+nmu1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQQcBAEBCAAGBQJRMDsnAAoJELjWss0C1vRzsYEf/2aKdfhZH9f+IzeQ0il8q8Ax
9HgqOT0uD15LWPOoy5nNNYLHACtBeuYte6l72dfDbCoUz+o220PFbhQtOoXuwAjn
wj0joyPHmiHYW4+vvRYoJ5z56UC836Hyg2FlEVVnN2f16rSrAw0XQtfkvm8B2s9N
Coosf0ue6HElezXa0uznq0F49Spv9TJ324nneslEH8uBg/1yvPp14HQs6EA+a0/W
u7IV1rxWAY+W4PD5+j5sSbOI5EiibsMPidNrrrdZkLue4RNPL8PIRguwww8A+O3a
ZuUAS6PX/8TAr345GzqyR0Navj+hnyWre+XRhXrKhMfTbV2cPwGoduRhma4XtNdw
dvElLNPtAs9xQHjJoQp9K9HTKT8OJa6kQxX4Iv4qTdkutIpEeqZ4UcW4h9802Iom
EDsTAWo6rXOdOm8ccRaNxs2xswC0GiO0pX2XbsUIsJtN7lWhG3s1sVBO9kw506CA
f4VfuU+hnvHYtUQ5xizVs6OzWGF1hu4Z/rrjxzp6rfqJJb22OuLgp8K3ZIHjsacX
WDys1nPSDflIVz4Y0YlPSXCk3qYaFKC/XZEBYPOFHBTmro6nIJfa9aZpmDYgm0jE
9z3qtE1whV4O+7bEZcl/LyKHqQO2GsPZEZl0GWolSnAsIUXZDS7TYY7UVXmOIcFY
b0Lqtr+/Zkzi+sULl7vB1rrOzEGYhQ3Yb9qu+V7VoGGt1HhVwphzcvuiMmcGVswu
pAsgTUpvwRy4NKxxRwjRm27dyBtOLT8p8Xq66okF5EgGnRezbqiZFDUvO5VEQM/G
+YIB/brpKD4YkuQb2zdXAu31oPRNIKFy6Abs1R1aFMVNnY56cgy1G6zPezmdHgwu
irLLGKU7RB6VENJdncn28sdiXDgBFchFHRERinGutRqZCzPjSe2Omvsf9Q4CuqAx
s8WgLnFGYCCQG62a8cmqr+DcUuhu5+oaSUrMWJVsyJ2KmBbgHt7J4RcsaB7IuHId
QB4ebrNvIbs7+G0Z/AG3DURFjGJSBCBglMm6qZFIuBwitj7b3qCUhTi3Bdtf1bFF
eXNSqHoF5gbXWIp6vAjmKffc0mrZTdQBXOANtxxHWS8D7nhcf95dkn8C6tDjtGKi
pX2Ab4G8CEKGdUmRvnrCqG7GkNNNNI8exTzxtwRlFqTpZwFNKQVqojvkn4elfOsl
hKmwSJWQbMnnpsRB1l7tHDRfj000dgDtXAmNNmdsaLqdeYOZ+bMS1zKHrN8iVYIu
mhuc4TT7iRtkOAeSYY7MWIV47vBRhXlAWU8UGqXzQpH2mG/Jns6aBCCiKFJCUo5Q
DUlwrsSUb7jOrPvGd/as2gKmwushPLBE37KgsNv7SuVQVne7SAPkhOUrWN1cX2k=
=pgRW
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#701839; Package sudo. (Fri, 01 Mar 2013 06:06:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <mgilbert@debian.org>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. (Fri, 01 Mar 2013 06:06:04 GMT) Full text and rfc822 format available.

Message #15 received at 701839@bugs.debian.org (full text, mbox):

From: Michael Gilbert <mgilbert@debian.org>
To: 701838@bugs.debian.org, 701839@bugs.debian.org
Subject: nmu for security issues
Date: Fri, 1 Mar 2013 01:04:11 -0500
[Message part 1 (text/plain, inline)]
Hi,

I uploaded an nmu fixing the recent security issues.  Please see attached patch.

Best wishes,
Mike
[sudo.patch (application/octet-stream, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#701839; Package sudo. (Fri, 01 Mar 2013 14:27:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bdale Garbee <bdale@gag.com>:
Extra info received and forwarded to list. (Fri, 01 Mar 2013 14:27:11 GMT) Full text and rfc822 format available.

Message #20 received at 701839@bugs.debian.org (full text, mbox):

From: Bdale Garbee <bdale@gag.com>
To: Michael Gilbert <mgilbert@debian.org>, 701838@bugs.debian.org, 701838@bugs.debian.org, 701839@bugs.debian.org
Subject: Re: Bug#701838: nmu for security issues
Date: Fri, 01 Mar 2013 07:22:27 -0700
[Message part 1 (text/plain, inline)]
Michael Gilbert <mgilbert@debian.org> writes:

> I uploaded an nmu fixing the recent security issues.  Please see
> attached patch. 

Thanks.

Bdale
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Michael Gilbert <mgilbert@debian.org>:
You have taken responsibility. (Sun, 10 Mar 2013 17:06:13 GMT) Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. (Sun, 10 Mar 2013 17:06:14 GMT) Full text and rfc822 format available.

Message #25 received at 701839-close@bugs.debian.org (full text, mbox):

From: Michael Gilbert <mgilbert@debian.org>
To: 701839-close@bugs.debian.org
Subject: Bug#701839: fixed in sudo 1.7.4p4-2.squeeze.4
Date: Sun, 10 Mar 2013 17:02:21 +0000
Source: sudo
Source-Version: 1.7.4p4-2.squeeze.4

We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 701839@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Gilbert <mgilbert@debian.org> (supplier of updated sudo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 06 Mar 2013 18:41:15 +0000
Source: sudo
Binary: sudo sudo-ldap
Architecture: source amd64
Version: 1.7.4p4-2.squeeze.4
Distribution: stable-security
Urgency: high
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Michael Gilbert <mgilbert@debian.org>
Description: 
 sudo       - Provide limited super user privileges to specific users
 sudo-ldap  - Provide limited super user privileges to specific users
Closes: 701838 701839
Changes: 
 sudo (1.7.4p4-2.squeeze.4) stable-security; urgency=high
 .
   * Fix cve-2013-1775: authentication bypass when the clock is set to the UNIX
     epoch [00:00:00 UTC on 1 January 1970] (closes: #701838).
   * Fix cve-2013-1776: session id hijacking from another authorized tty
     (closes: #701839).
Checksums-Sha1: 
 38d3ef0ea1632746b4cdba65c23f2bfbd8ee0741 2409 sudo_1.7.4p4-2.squeeze.4.dsc
 45b34139fb11e054c139e8cd490b66f1ab4310b3 26820 sudo_1.7.4p4-2.squeeze.4.debian.tar.gz
 2787aff0d629ca809a5c8379363e973c53ab4b86 610580 sudo_1.7.4p4-2.squeeze.4_amd64.deb
 7835c2b5dcac20992edc5f1a34e5770402f07052 636122 sudo-ldap_1.7.4p4-2.squeeze.4_amd64.deb
Checksums-Sha256: 
 0c3296d2b60c8714c8ce05da7fe16cdd93fa9d1f8dfa77dac335eb50474742fd 2409 sudo_1.7.4p4-2.squeeze.4.dsc
 2f5ecd85e449c578358d08cfaf720a38a2a1a7d1b5b98588a4d37c806358eee9 26820 sudo_1.7.4p4-2.squeeze.4.debian.tar.gz
 897938338ce027885bfdd01bf1fe14b69fad88df9b06a6452ebd443a34d890b0 610580 sudo_1.7.4p4-2.squeeze.4_amd64.deb
 e29664e57d452a062b93b82c803176ec050a862ed346c5b59e09e92a37792dc8 636122 sudo-ldap_1.7.4p4-2.squeeze.4_amd64.deb
Files: 
 8d68f623c42268605baabe3b56e5f0f9 2409 admin optional sudo_1.7.4p4-2.squeeze.4.dsc
 339ce612cd70937d3658c9e2b76f6424 26820 admin optional sudo_1.7.4p4-2.squeeze.4.debian.tar.gz
 07c29e218682def30096615f476f7ba2 610580 admin optional sudo_1.7.4p4-2.squeeze.4_amd64.deb
 80d0993d6602ea0469407f2a04959fc9 636122 admin optional sudo-ldap_1.7.4p4-2.squeeze.4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQQcBAEBAgAGBQJRN5U9AAoJELjWss0C1vRzBQYf/iy2W3WlxDrw3b5ulsdn6bpI
DBraaNIhGTdmQGHjcHnh02Rnnxz8Zsa7AYR2tAt01kDrRYZEW2D3ue+5+3baaS0k
pOUEmT+S7SNYUcIpL4sg2z/kRTZvbLZaFKcED7em8LiTp52FZbFBoGTB4jWqGe3s
MGfgdd5bR/HO/qk4rB5q6bW4NJNg6QJ4X7RkbXkfbeuUERh1ALJ4DJdejI7sS97f
NGD2wVtOdK6r0MiclBnihZfKcm/W4ahKR6JY02PRMiQiIMmb2IgJ+t2wW7L3QluL
/s7OLFEUZq51mfah85/IGvQJc1B7eC+Rq/Q+4d6i/1MXOia5dhVqVAP8SxBluTor
iAxITezIRJD6vM6nV2Hd+YjwhE7yb4OAuiaZqz5nQx7ppykOWvzUqT11KFuLTBw1
RfUC4aJbJwRK5CfKvBoWopXc/ujlGOhrPxHyEKbGzYLHsWVmPY1+Q0JoD9dp2hhB
HYHTdgvHFv3qr6OgtxnWcYk7MbiwjLd0lH8nhST8uDBk+jlV9+nTyRHN2Nbjg6DZ
0hLQ87pHRRt54cjpfhp2kVDFkEpAmeGsNo0hoC5+A9PWaen0Gfd2ALoDncfRtAWC
RFnRZ+HC/x8KG5sYfl8By1gvwvU+c69ba0iYTHN8/YY5ajUBdPc1X9oFbsSH8TMY
lG7wBdjjUu4mQkDM7RK7gbGHY8uH2+sA0z7osEPy7TPgvetD3v05GuuJPRwv7RxR
0X19QnIhK6uDcV7FI/NewEoq73Wdclpuxdjp0ODFlhpVPq2ZSI7V68stARhOEAaH
bv/IhFre8AJaRA2/9nIqySOm3bdWPeQ3DxECjheLtfCN6fcpSIxr/NrraCFytmY8
OKIFPJEaTxGSkVUBRq/WzxqXJ6t1jmYr1UaqezB2MnTeDyU69as1ZZqQ2F2OBoYz
/mCpuZ1RxDa90gDS5W6VsrO9NaT53kNAiHBd0Ck5aTrcbBmzdXjEMXR0NCeYSn2+
VZ25wmNvrgtrVmL/KKVr2doDFNMeiR119LFKXn7+6ZST0l5DuvSNIVtr51egDDn4
dh7qs3GHE00NCNfW2rMwLec21+LMihwj+65Hto6VV1J6Q5dsw8tpWFuxDl8YiuLr
Rmu1hi//JdCah62a9h9sKJkELqZHpR7yQt/Vu4/0j8LoUkEUds49hmd/e5fqeUY+
YZ4KMd13QexhaYE1kg26v91d9dbiiPv8n4OIIvkq3PKV5HoRJgvFLsRnnhTgTVyu
L3bHb4kfPu66j97EL7hAiKQq7H+BevwnqYbjy5C4gjBcoB1wP+HPJl6b8w+lLD8F
s8vxcmCyvJUHrwgiW0SvsI90CvjCYQx0I9Gc+EnIwiY2150cifJbKJQdTeYzFwk=
=bZxh
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 08 Apr 2013 07:26:16 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 07:58:05 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.