SourceIt has been discovered that under certain conditions, a
security vulnerability allows attackers to circumvent the protections offered by the sudo utility. The hole permits attackers to execute commands which would otherwise require the use of sudo coupled with the relevant password.
On Unix-like systems, the sudo command is used to execute other commands with the privileges of different users, but using the original user's own password for authentication. This feature is used in Mac OS X and Linux distributions such as Ubuntu to allow users to perform administrative tasks without having to log in as a root user. Following authentication, a time stamp is used to open a time window of (usually) five minutes within which it is not necessary to re-enter a password.
For the attack to work, the logged-in user must be listed in the /etc/sudoers file, which also specifies which programs can be executed with which privileges. The user must have run a sudo command at least once and have successfully authenticated him or herself. It must also be possible to modify the system time without entering a password.
If these conditions are met, simply resetting the time stamp using sudo –k and then setting the system time to 1 am on 1 January 1970 (the
Unix time start date) is sufficient to enable the user to run any commands to which, according to the /etc/sudoers file, he or she has access. In both Ubuntu and Mac OS X, the first user created during installation is a member of the admin group and is allowed to use sudo to execute all available commands on the system.
It should be noted that changing the date is usually a privileged action which would require the root password or authenticated administrative privilege. In the Mac OS X case it is possible to leave the time preferences unlocked. It is advisable to create a user who does not have administrator privileges and to use this user for day-to-day work to reduce exposure to such vulnerabilities.
Sudo versions 1.6.0 to 1.7.10p6 and 1.8.0 to 1.8.6p6 are affected. The vulnerability has been fixed in versions 1.7.10p7 and 1.8.6p7. Mac OS X 10.8.2 uses sudo 1.7.4p6 and is therefore vulnerable until Apple ships an update.
NOTE: I checked Lubuntu 10.04 (LTS) package info and discovered it's one of the vulnerable versions:
apt-cache showpkg sudo
Package: sudo
Versions:
1.8.3p1-1ubuntu3.4