Sudo and Su Considered Harmful, Sudo/Su Bruteforce Utilityby Javantea
Aug 10, 2010
Two years ago I noticed that su and sudo both contain a fatal flaw: administrator passwords. Administrator passwords have found themselves at the core of our security. OpenSSH does not allow root to login by default because on rare occasion administrator passwords can be bruteforced. Nearly all Linux and BSD systems recognize this. Some system administrators still don't recognize this due to business constraints. Users that have insecure passwords can be bruteforced if an attacker knows their name. The common system of first letter and last name or handle as the username gives an attacker a good list of users to bruteforce. How many administrators use the username jsmith? How many administrators use the username admin? Su and sudo may be considered harmful if we consider that usernames can be learned and that passwords can be bruteforced.
Removing the password component, we can compare sudo and su to the Windows Vista and Windows 7 administrator access security model: give a user administrator access when they ask for it. This person must be designated as an administrator by the original owner of the system. This seems obvious and tautological but we have yet to introduce an attacker with two different methods of attack.
An attacker bruteforces ssh because this has become the weakest point of Linux/BSD server security. After a certain amount of time an attacker has a low likelihood of getting a shell. If the attacker spends enough time they will succeed in finding a user with a weak password. AltSci.com had a bruteforceable password on a user account for more than a year. An attacker can use passwords that succeed to attack hosts in ~/.ssh/known_hosts and so forth. If the user has sudo, then the brute force ssh attacker will be able to get administrator privileges. This is no better than the Vista/Win7 security model because the attacker has the password.
If, on the other hand, the attacker gains code execution from a vulnerability that does not reveal the password, sudo and su both prevent the attacker from automatically gaining root privileges. The Vista/Win7 security model gives the attacker administrator privileges as soon as the attack succeeds. However, sudo and su are both vulnerable to trojan if the attacker has code execution access as the user. If the user has no utility to detect rogue processes (netstat, ps and so forth), an attacker can hide as a bash shell. The attacker can inject a trojan into the PATH and gain the user's password. If the user uses sudo often enough, the attacker just has to wait for the user to sudo at which point they also gain root privileges.
If the account that the attacker has gained is rarely logged in or rarely sudo, the attacker can start up a bruteforce utility. Depending on whether the user is in sudoers or the wheel group, sudo or su can be bruteforced with the utilities provided.
Passwords are a weak point in security. The alternative models of authentication are difficult to enforce in the real world, but many work well. SSH has properly implemented public key authentication although they have caused various troubles for admins over the years. Amazon EC2 enforces public key authentication to eliminate bruteforce and default password issues. Recently some hackers have started to use one time passwords. This may become a useful tool to eliminate keylogging and bruteforce attacks in the future. Biometric and other two-factor authentication systems are likely to cause various troubles while they attempt to solve these same issues. I have hope for cheap smart cards becoming integrated into authentication, but not rfid or biometric authentication.
su_brute1.py and sudo_brute1.py both use pexpect to automate sudo and su. Pexpect was designed to automate systems like scp, ssh, and telnet on multiple systems where a user either is not available or is uninterested in typing a password each time. A better system would be to use ssh-agent, but there are many use cases that don't support or require public key authentication. OpenCTF at Defcon 18 is one example.
date; head -n 100 ~/recent/john/rockyou1_order.txt | python ~/recent/sudo/sudo_brute1.py | grep ^data | wc; date Tue Aug 10 07:23:39 PDT 2010 102 102 1088 Tue Aug 10 07:27:30 PDT 2010 100 password attempts in 231 seconds. sudo less /var/log/auth.log ... Aug 10 07:26:51 dmitry sudo: pam_unix(sudo:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/22 ruser=jvoss rhost=dmitry user=jvoss Aug 10 07:26:58 dmitry sudo: pam_unix(sudo:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/22 ruser=jvoss rhost=dmitry user=jvoss Aug 10 07:27:04 dmitry sudo: pam_unix(sudo:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/22 ruser=jvoss rhost=dmitry user=jvoss Aug 10 07:27:11 dmitry sudo: pam_unix(sudo:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/22 ruser=jvoss rhost=dmitry user=jvoss Aug 10 07:27:17 dmitry sudo: pam_unix(sudo:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/22 ruser=jvoss rhost=dmitry user=jvoss Aug 10 07:27:24 dmitry sudo: pam_unix(sudo:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/22 ruser=jvoss rhost=dmitry user=jvoss Aug 10 07:27:55 dmitry sudo: pam_unix(sudo:session): session opened for user root by jvoss(uid=0) Aug 10 07:27:55 dmitry sudo: pam_unix(sudo:session): session closed for user root
./john --stdout --incremental | python su_brute1.py python su_brute1.py < rockyou1_order.txt ./john --stdout --incremental | python sudo_brute1.py python sudo_brute1.py < rockyou1_order.txt
Passwords are a low risk system in computer networks but they represent a higher risk than Sendmail, Apache, OpenSSH, OpenBSD, and many other server software systems. Why is this? Bad passwords have 36^6 = 2176782336 or less possible values. Sendmail had a remote exploit in 2006. Apache had a remote exploit in 2009. An attacker can get remote execution via bruteforce in less than 2176782336 tries. An attacker would need to find a Sendmail system unpatched since 2006 to exploit it. An attacker would need to find an Apache system unpatched since 2009 to exploit it. You may argue but it is my opinion that bruteforce attacks are more profitable to an attacker than Apache or Sendmail attacks today. In comparison to IE6, IE7, Firefox, Opera, Safari, Adobe Flash, or PDF readers though, passwords are much lower risk until browser security comes a long way.
Once browser security improves considerably, other services and passwords will take their place at the forefront of insecurity. As a security researcher I have found myself researching this issue before bruteforce becomes a worse issue than browser security. Of course I am not the first researcher or programmer to notice this issue. Allow me to state once again: Sudo and Su may be considered harmful.
If you are interested in working on threat models like the ones presented in this article, there are job openings for intelligent hackers at Seattle firms (not including AltSci Concepts). E-mail me with your résumé and mention this article and I will attempt to get you at least one interview.