Only the superuser may set the date, and if the system securelevel (see
securelevel(7)) is greater than 1, the time may not be changed by more
than 1 second.
EDIT: so you need to be root anyway or have root access to change the date.
Are you sure? If it is it sounds like a possible security issue. Time is pretty sensitive as soon as certificates are involved. Many auth systems assume the clock is properly synchronized across the system.
If that's true IMO that's the security issue, not the arguably strange behaviour of sudo in a situation that should never occur.
This is absolutely not true. You must be listed as an Administrator to change system time. If you're an Administrator, then your account is also included in the admin group which means you have full sudo access anyway.
env_reset
If set, sudo will run the command in a minimal
environment containing the TERM, PATH, HOME, MAIL,
SHELL, LOGNAME, USER, USERNAME and SUDO_* variables.
Any variables in the caller's environment that match
the env_keep and env_check lists are then added,
followed by any variables present in the file specified
by the env_file option (if any). The default contents
of the env_keep and env_check lists are displayed when
sudo is run by root with the -V option. If the
secure_path option is set, its value will be used for
the PATH environment variable. This flag is on by
default.
Also this would open up an entire vector of arbitrary command execution attacks if it was allowed.
Also, you can not use LD_PRELOAD on sudo itself, as it is disabled for setuid binaries.
An evil person with e.g. a stolen SSH key can escalate privileges on a machine without needing the user's password. It's not simply about sudo working as designed, it allows bypassing sudo's user authentication entirely.
I can think of a handful of corporate machines (e.g. web servers) I've had pubkey access on where sudo allowed the real admin to gain root from the same account via sudo.
You mean, all of the NTP servers the machine uses. NTP will detect and reject a single server reporting bad time (assuming you have at least 3 servers configured, which is the recommendation).
You'd also have to do this when the NTP daemon first starts up, as:
-g Normally, ntpd exits with a message to the system log if the offset exceeds the panic
threshold, which is 1000 s by default. This option allows the time to be set to any value
without restriction; however, this can happen only once. If the threshold is exceeded after
that, ntpd will exit with a message to the system log. This option can be used with the -q
and -x options. See the tinker command for other options.
The NTP config on the machine would have to allow automatic changes without regard to the skew. I don't believe that is a default (or typically desired) configuration.
Can't the evil person with said access just wait until the person legitimately runs sudo? Today's exploit just allows the attack to happen more quickly, if the attacker happens to be able to change the time on the clock by a few billion seconds without escalated access.
I see your wonky authentication bypass and raise you a local privilege escalation that is 100% reliable on every distro that's shipped a 3.3-3.8 kernel (last 18 months or so)
From the vulnerability announcement, it seems like this only allows a user to "set" NOPASSWD for that user's sudo regardless of what's in sudoers. It also doesn't seem to allow escalation beyond what's in sudoers. Am I missing something?
It looks like you can run `sudo -k` without authenticating via password, so I guess you could use this to bypass the password requirement even if the user had not previously entered their password (provided that the account is capable of changing the system time).
It's certainly worth mentioning (and patching), but I wouldn't describe it as "and boom you're root".
Software that can do this could also just wait for you to run a sudo command and then install a rootkit before the timeout is reached. Or it could keylog your password.
On desktop machines getting root is almost useless, you have all the sensitive information on the user account. Unless the attacker wants to install a rootkit in the kernel or open raw sockets or stuff like that. But if they can run arbitrary code with your UID you've probably already lost anyway.
I suppose that's true, but ideally there should be no situation in which you give a program or script access to a terminal with sudo's timeout unreached. Compromising information not stored on the machine should ideally require root.
This gives you only the privileges that a successful "sudo" would give you, and requires a previous successful "sudo". It's a nice hack, but hardly the end of the world.
there's no confusion with sudo, it's running as designed. It compares the current timestamp to the user timestamp to determine whether to ask for a password or not. The first flaw is in the date command allowing unprivileged users to set the time. The second is that the -K flag to sudo makes the -k flag obsolete, so the latter should be dropped.
Very, very difficult, unless the host relies on a single timesource. Best and common practice is to use 3-4 sources from different organizations in the ISC pool. It also wouldn't surprise me if most implementations of ntpd would have further safeguards about going 40 years back in time; at the very least the skew factor would make the clock change take a longgggg time to happen.
Actually I had to write a ntp spoofer for an university class. With arpspoof it is easy to manipulate all ntp traffic. At least ntpdate didn't complain when you sent it some years forward or backward.
ntpdate won't complain because it's entire purpose is to set the time on a system that isn't synchronized with the rest of the world. So it is expected that the clock may have drifted by a substantial amount, and it is only meant to be used occasionally. It is especially bad practice to run it from cron.
On the other hand, ntpd is a daemon that is meant to be run continuously. It will complain if lower-strata time servers start jumping around, and has a built-in mechanism for ignoring time servers that seem to be giving incorrect time (compared to both other servers and the system's own idea of the current time). Note that, if having accurate time is important, ntpd also supports using external reference clocks with a pulse-per second connected to, for example, a serial port.
This isn't always true: it all depends on where you [the attacker] are. If you've done something like compromise part of a large organization's network, it's entirely plausible that you could spoof either their internal NTP server or time.apple.com but not both.
-g Normally, ntpd exits with a message to the system log if the offset exceeds the panic
threshold, which is 1000 s by default. This option allows the time to be set to any value
without restriction; however, this can happen only once. If the threshold is exceeded after
that, ntpd will exit with a message to the system log. This option can be used with the -q
and -x options. See the tinker command for other options.
It won't. An NTP client will refuse to update it's system clock back to Epoch. There's a threshold after which ntpdate will refuse to adjust the clock.
No, ntpd adjusts the skew, not the actual time. NTP is specifically designed to prevent time from going backwards because that can cause all sorts of problems with tons of software. It only slows down and speeds up the clock to keep it in sync.
When a user successfully authenticates with sudo, a time stamp file is updated to allow that user to continue running sudo without requiring a password for a preset time period (five minutes by default). The user's time stamp file can be reset using "sudo -k" or removed altogether via "sudo -K".
A user who has sudo access and is able to control the local clock (common in desktop environments) can run a command via sudo without authenticating as long as they have previously authenticated themselves at least once by running "sudo -k" and then setting the clock to the epoch (1970-01-01 01:00:00).
The vulnerability does not permit a user to run commands other than those allowed by the sudoers policy.
By default, sudo displays a lecture when the user's time stamp
file is not present. In sudo 1.6, the -k option was changed
to reset the time stamp file to the epoch rather than remove
it to prevent the lecture from being displayed the next time
sudo was run. No special case was added for handling a time
stamp file set to the epoch since the clock should never
legitimately be set to that value.
when you run sudo, it might ask for a password. if you enter the right password, it sets a user timestamp saying "this was when you last entered your password", and for some (configured) amount of time after that, you can run sudo without requiring a password.
sudo -k sets the timestamp to the epoch under the (misguided) assumption that the epoch will always be older than the configured time interval.
some distributions allow any user to change the system time without requiring root privileges. These are typically user-friendly, single-user distributions, but many people run these same distributions on multi-user server boxes as well.
so, if an attacker gains access to a user account, and assuming that user does have the right to sudo to root, the attacker can run these three commands to gain a root shell.
sudo -k resets the "needs a password to be entered" flag by changing the last-password-entered time to appear to be the UNIX epoch (time 0).
If you then change the date to be the same day (which can be done without root permissions in modern Linux distros by using polkit or similar things), then you can use sudo to run commands as root without a password.
Presumably, sudo checks the 'last-successful-login' entry alone before deciding whether to require a password. It ends up thinking you've previously successfully logged in even if you've never actually typed in the needed password.
So there are two ways I can see to fix this. Either make setting the time always requires a password, or, add a signal that time-sensitive processes can listen to that gets tripped whenever time is altered.
There's a much simpler fix that is local to sudo. Sudo has to make the decision of whether to require a password. Just change the line that says something like:
if (current_time - last_password_time > INTERVAL) require_password();
It may be worth noting that local privilege escalation vulnerabilities have always been dime a dozen, this is just a more egregious one.
In your planning always keep in mind that anyone with shell-access to your server can become root in one way or another, if he really wants to. There is little "defense in depth" after that point.
After using sudo from the command line, just remember to run sudo -K (note the capital-K) and you should be protected. The -K removes the timestamp which makes it impossible to reset it to 1/1/70 with -k.
It works if you set your time through system preferences in OSX, Gnome and KDE on some distros. Changing it on those desktop guis does not require admin password. Also see:
