0

I need some information regarding the possible attack vector on *nix platforms of running su/sudo.

Can an malicious process wait for the user to run su or sudo and then exploit that root access somehow? Or is this already protected somehow?

For example, if /dev/tty2 has impersonated root with su:

# inject text 
echo Adding malicious text to a root tty, like Enter Password: > /dev/tty2
# read keystrokes
cat /dev/tty2 
# not sure how to write keystrokes or if it is possible

Maybe this is absolutely documented, or protected, if so, please link me the docs.

example

PS: Please don't shut me down as if I am requesting help to do an exploit. I am not. The question is about the risks of using su/sudo versus logging as root in the context of a discussion about whether should Windows have a sudo command or not. I need to get my facts straight.

Kusalananda
  • 333,661
Gerardo Grignoli
  • 103
  • 3
    You're asking about the security model of one set of operating systems, the set that is on topic here and fine to ask about. But you're doing so in order to then go and use that as an argument about a different operating system, not on topic here, with a different security model by design. Your best bet is to go and learn about the Windows security model. Start by learning about the Shatter Attack, and why the Windows world is strongly averse to bringing that back irrespective of what weaknesses there might be in Unices and Linux. Here really isn't the place for that. – JdeBP Feb 06 '20 at 08:52
  • 2
    @JdeBP Your questioning of Gerardo's intentions and recommendation of investigating a different topic is inappropriate to the question/answer rules of Stack Exchange. Gerardo is asking a very concrete question on *nix security and this is the proper place to do that. What this site is not is a place for pointless controversy. His clarification and mention of Windows is just to explain that he's not doing research for a malicious purpose. – Sebastián Grignoli Mar 01 '20 at 22:59

1 Answers1

3

Yes, a process can inject input into a tty via the TIOCSTI ioctl. At least on Linux, that's subject to some restrictions: the user should be root (CAP_SYS_ADMIN) or inject into its controlling tty.

That's still quite dangerous, and TIOCSTI was gutted in systems like OpenBSD, but its threat model was usually backwards than that from your question: the root was supposed to use su (or something else) to run a command as an ordinary user, and that command was able to insert keys into the controlling tty it was sharing with its privileged caller. See examples here and here.

Of course, that could also be exploited via a biff(1) or some other program running in the same tty su root was started from, but that's doesn't look that interesting: if an attacker was able to get grip of an account able to su or sudo, there are probably simpler an nicer ways to escalate it.