Jumping sudo using ptrace

For many years now I've been making the claim that one can use the ptrace api to intecept the execution of sudo of another process (running as the same user) and replace the requested command with your own. For example, if a user was to do:

sudo apt-get install foo
Password:
...

they are instructing sudo to run apt-get, but an attacker can use the ptrace api to insert a new argument before apt-get which invokes their own program, which might do something malicious and then execute the original command requested of the user.

This could be useful to an attacker in a number situations. For example, if the attacker has aquired access to a given account and notes that the account owner execute sudo, he can use this technique to escalate his privileges. Perhaps more importantly, however, is that a trojan or a virus can use this technique to get root whereby its capability is greatly increased.

Similar attacks can be directed at su and other suid/sgid programs.

All of this is most likely not very much of a surprise to the security community, and I shall not present any possible remedy, except to say that ptrace is necessarily a very capable api and should not be implicated as "the" cause of this potential insecurity.

My purpose of writing this post is to provide demonstration code that, I hope, will clarify any misunderstandings about the potiential of this technique, and move it from the often ignored domain of theoretical to practical threat so that it may be suitably addressed.


QuantumG
-----------------

usage: sudojump [-d] [-v] [-h]  
    -d drop original arguments.
    -v prints version info.
    -h prints this help.

Example of use.

Start a new xterm:
trentw@linux:~/work/sudojump$ ps
 PID TTY          TIME CMD
 1153 pts/5    00:00:00 bash
 1163 pts/5    00:00:00 ps

In other xterm:
trentw@linux:~/work/sudojump$ ./sudojump -d 1153 /usr/bin/id
execve (/usr/bin/sudo) "sudo", "apt-get", "update"                <- this will output in a sec

Back in xterm with pid 1153:
trentw@linux:~/work/sudojump$ sudo apt-get update
uid=0(root) gid=0(root) groups=0(root)



<< back to my home page