Sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user. https://en.wikipedia.org/wiki/Sudo
Let’s say that we have a folder named /luggage/. The luggage is carrying some incredibly valuable things. Rincewind and twoflower are two users who have been traveling with this luggage for sometime. Because, rincewind doesn't want twoflower to read the octavo, but is fine if he looks at the camera, both which are located in the in the luggage. /luggage/camera/ /luggage/octavo/ We have allowed twoflower to run only the cat command as rincewind, and only in the location /luggage/camera/ folder. Because, we don’t know what the photos will be named we will wildcard all the filenames in /luggage/camera/*
Rincewind feels pretty good that twoflower will never be able to read anything in the octavo and certainly never be able to read the spell located in the folder and file permissions are both set with 0700. Below is the output of /etc/sudoers.d/012-twoflower file and a command output.
We feel pretty good about this setup, it has only allowed twoflower a single command in a single path. Next we let twoflower have at it. And then something terrible happens.
Twoflower has read the spell inside of the octavo and everything has ended. How? what? This is simply the way that the wildcard works with sudo. It’s just turtles, all the way down. We should never use wildcards like this in sudo, ever.
Next, lock it down, we will take away the cat command and replace it with just VI and then no arguments can be passed to VI, because if a wildcarded path is included then VI will fall to the same directory traversal issue.
This is even worse because now, not only can twoflower still open read and edit the spell in the octavo, VIM has enabled a shell escape as the sudoer. This is because VIM is invoking the shell after the session is launched as the sudoer. Honey badger (VIM) don’t care what the sudoers.d/file said. Alright next step, take away VIM, give twoflower less and ONLY a single file in a single folder, because less has to be better.
This might have been a little hard to understand so here are a few more screen shots.
start the sudo less command and pass the picture file
less is now displaying the picture file
!bash<enter>
less has launched an escaped shell as rincewind and now we can read the spell (facepalm)
Sudo is a super powerful and incredibly dangerous tool. The commands that are allowed sudo access need to be thought out and the functionality needs to be understood. None of these examples are exploits, or overflows. They are all working exactly as designed. Understand the privileges that you are granting with sudo, otherwise someone will get into your fridge, eat all your food and then burn down your house.
Great source for deeper explanation of restricted shells and commands.
SANS Penetration Testing_Editor's Note: On the GPWN mailing list for SANS Pen Test Course Alumni a few months ago, we had a nice, lively…_pen-testing.sans.org