Todd Miller Sudo Kerberos Authentication Local Authentication Bypass Weakness
BID:24368
Info
Todd Miller Sudo Kerberos Authentication Local Authentication Bypass Weakness
| Bugtraq ID: | 24368 |
| Class: | Design Error |
| CVE: |
CVE-2007-3149 |
| Remote: | No |
| Local: | Yes |
| Published: | Jun 07 2007 12:00AM |
| Updated: | May 07 2015 05:37PM |
| Credit: | Thor Lancelot Simon is credited with the discovery of this vulnerability. |
| Vulnerable: |
Todd Miller Sudo 1.6.8 p12 |
| Not Vulnerable: | |
Discussion
Todd Miller Sudo Kerberos Authentication Local Authentication Bypass Weakness
The 'sudo' utility is prone to a local authentication-bypass weakness when used in conjunction with Kerberos. Attackers must first gain local, interactive access to a computer running 'sudo' configured to authenticate via Kerberos. They may do this by exploiting other latent vulnerabilities.
Successfully exploiting this issue allows local attackers to bypass sudo's authentication prompt, allowing them to perform actions that are granted to users via the 'sudoers' file.
This issue affects 'sudo' 1.6.8p12; other versions may also be affected.
The 'sudo' utility is prone to a local authentication-bypass weakness when used in conjunction with Kerberos. Attackers must first gain local, interactive access to a computer running 'sudo' configured to authenticate via Kerberos. They may do this by exploiting other latent vulnerabilities.
Successfully exploiting this issue allows local attackers to bypass sudo's authentication prompt, allowing them to perform actions that are granted to users via the 'sudoers' file.
This issue affects 'sudo' 1.6.8p12; other versions may also be affected.
Exploit / POC
Todd Miller Sudo Kerberos Authentication Local Authentication Bypass Weakness
To exploit this issue, attackers use the affected 'sudo' utility itself, along with a fake KDC.
To exploit this issue, attackers use the affected 'sudo' utility itself, along with a fake KDC.
Solution / Fix
Todd Miller Sudo Kerberos Authentication Local Authentication Bypass Weakness
Solution:
The vendor has committed a fix to the 'sudo' CVS repository as of June 7, 2007. Please see the references for more information.
Solution:
The vendor has committed a fix to the 'sudo' CVS repository as of June 7, 2007. Please see the references for more information.
References
Todd Miller Sudo Kerberos Authentication Local Authentication Bypass Weakness
References:
References:
- CVS log for sudo/auth/kerb5.c (Todd Miller)
- Re: Sudo: local root compromise with krb5 enabled (Thor Lancelot Simon
) - Sudo Homepage (Todd Miller)
- Re: Sudo: local root compromise with krb5 enabled (Ken Raeburn)
- MIT krb5: makes sudo authentication issue MUCH worse. (Thor Lancelot Simon
) - Re: Sudo: local root compromise with krb5 enabled (James Downs
) - Re: Sudo: local root compromise with krb5 enabled ("Todd C. Miller"
) - Sudo: local root compromise with krb5 enabled (Thor Lancelot Simon
) - Re: Sudo: local root compromise with krb5 enabled ("Mark Senior"
)