undefined | Better HN

0 pointsIshKebab23d ago0 comments

> If you require password authentication when running sudo then an attacker has to find a RCE exploit and then crack a password.

Nope! Just alias sudo to something that logs the password.

0 comments

gamer19123d ago

Interesting. If that’s possible (I haven’t tested it, but I’m sure it is) then you wouldn’t even need to log the password. You could just alias sudo to a bash script that runs your malicious payload using the real sudo. Then the user would run the command, be prompted for their password by the real sudo, and be none the wiser that a malicious script has just been executed

For what it’s worth, Windows’ security model says it’s not an exploit that programs can grant themselves admin rights if the user is an admin (https://github.com/hfiref0x/UACME). But afaik Linux doesn’t have that model so it is a bit of an issue that this is possible

hnlmorg23d ago

> Interesting. If that’s possible

It’s not possible. At least not unless those users have already borked their own system.

The previous poster was clutching at straws.

IshKebabOP23d ago

Of course it's possible. I've tried it. It works. It's just standard Unix features. What makes you think it isn't possible?

1 more reply

hnlmorg23d ago

How are you going to do that without write access to the users home directory?

Like I said before, your RCE exploit will be running as the user and group of the service you exploited. For example www:www

So you’re not going to be able to write into Joe Bloggs .bashrc file unless Joe was stupid enough to enable write permission to “other”. Which, once again, requires the user to purposely modify the system into being less secure than its default configuration

IshKebabOP23d ago

> your RCE exploit will be running as the user and group of the service you exploited. For example www:www

Only if the exploit is through a web server or similar. If it's through the user's web browser, email client, video player, etc. etc. then you'll have write access to their home directory.

hnlmorg23d ago

But thats not a daemon then. Thats a completely different type of exploit from the ones we were originally talking about.

Yes, if a desktop application has a bug then it can do damage. But at that point, who cares about sudo? The exploit already has access to your ssh keys, browser cookies and history (so can access banking and shopping sites), crypto-currency wallets and so on and so forth.

What an exploit has access to here is so much worse than getting root access on a desktop OS.

j / k navigate · click thread line to collapse

0 comments

gamer19123d ago

hnlmorg23d ago

> Interesting. If that’s possible

It’s not possible. At least not unless those users have already borked their own system.

The previous poster was clutching at straws.

IshKebabOP23d ago

Of course it's possible. I've tried it. It works. It's just standard Unix features. What makes you think it isn't possible?

1 more reply

hnlmorg23d ago

How are you going to do that without write access to the users home directory?

Like I said before, your RCE exploit will be running as the user and group of the service you exploited. For example www:www

IshKebabOP23d ago

> your RCE exploit will be running as the user and group of the service you exploited. For example www:www

Only if the exploit is through a web server or similar. If it's through the user's web browser, email client, video player, etc. etc. then you'll have write access to their home directory.

hnlmorg23d ago

But thats not a daemon then. Thats a completely different type of exploit from the ones we were originally talking about.

What an exploit has access to here is so much worse than getting root access on a desktop OS.

j / k navigate · click thread line to collapse