Sunday, August 16, 2015

PSA: Beware of sudo on OS X

There's a little kerfuffle going on over on HN about a newly discovered local root exploit on OS X 10.10.5, so I thought this might be a good time to make sure everyone is aware of something that I just discovered myself a few days ago: Apple ships sudo with tty_tickets disabled by default.  What this means is that if you use sudo to give yourself root privileges, your sudo authentication is not bound to the TTY in which you ran sudo.  It applies to any process you (or malware running as you) start after authentication.  The way Apple ships sudo it is, essentially, a giant privilege escalation vulnerability.  To see this: open two terminal windows and run sudo in both of them.  Only the first one will ask for your password.

It's easy to fix.  Just run visudo and add this line:
Defaults tty_tickets

14 comments:

  1. People should simply not have the default administrator account as their main user. Period. Make yourself a new user account, non-admin, and do all your computing from there, and when necessary you will be asked to enter the name and password of an admin user - no extra hassle, but none of the security risks that come from being just a sudo away from root privileges.

    ReplyDelete
  2. This vulnerability is concerningly also present on the current OS X 10.11 beta, number 3. Thankfully, the visudo edit patched it. Thanks!

    ReplyDelete
  3. Thanks for this info. I just tested it on 10.10.2 and it exists there as well. Fixed with the same addition you mentioned.

    ReplyDelete
  4. This has been the default for sudo for as long as I have been using Linux and other variants of UNIX - sudo will prompt for password once, and if authenticated successfully will allow escalated privileges on all terminals for a default of 15 minutes.

    I don't see why this is more dangerous in OSX compared to other variants of UNIX.

    You might be referring to this, which is not a flaw within sudo itself https://www.reddit.com/r/netsec/comments/3e34i2/os_x_1010_dyld_print_to_file_local_privilege/

    ReplyDelete
    Replies
    1. Hanxue Lee, you are confusing `tty_tickets` and `timestamp_timeout`. The concern reported by Ron is valid, because a lot of users may be relying on the tty-isolation of their sudo authentication, which is not default on OSX according to this blog post.

      Delete
  5. > This has been the default for sudo for as long as I have been using Linux

    I don't know what Linux distro you are using, but Debian and Ubuntu both have tty_tickets enabled by default.

    ReplyDelete
  6. Why on Earth would anyone ever want tty_tickets off? Even when intended, it's probably a race condition.

    ReplyDelete
  7. This comment has been removed by the author.

    ReplyDelete
  8. I like how "you fond it" after some days that I released a paper on ycombinator, reddit etc.
    Casuality or what? :D
    Cheers mate!
    https://news.ycombinator.com/item?id=10044589

    ReplyDelete
  9. I presume you are suggesting that two people discovering the same vulnerability is a low-probability event?

    ReplyDelete
  10. Oh man, thanks. I loved this feature on OSX and have had trouble figuring out how to "enable" it on my linux host.

    ReplyDelete
  11. @Fifty: That's exactly how OS X works by default. What's suggested here is a way to avoid your occasional sudo command from opening up other vulnerabilities.

    ReplyDelete
  12. I believe this is fixed in macOS Sierra (10.12).

    ReplyDelete