[SGVLUG] sudo newgrp somegroup = local root escalation
Sean O'Donnell
sean at seanodonnell.com
Wed Aug 3 18:55:03 PDT 2016
TIL: If a user has 'sudo' access, AND is allowed to execute 'newgrp',
the result is that the user gets switched to the root user, if the
command executes successfully.
[x0d at wopr.mil cli]$ sudo newgrp root
[root at wopr.mil cli]#
While I used the 'root' group for this example (because it exists), the
same could be applied to any existing group on the system, and still
result in same local root escalation.
I see that this has been a known issue in terms of disclosure, since at
least 2003 (quickly glancing on google results) yet it's not a commonly
known issue, from most engineers I work with or have talked to.
I know it's really the responsibility of the sysadmin who makes the sudo
rules, to address this, it appears that this is news to most of the
sysadmins I'm working with here.
Anyhow, just curious if others were aware of this, or not.
The reason I mention this, is because it appears to be an issue that
Apple fixed in one of their OS updates, but most linux distros still
allow this (debian/centos/fedora/etc.). It just seems like a bad idea to
ship common distros with this capability, wouldn't you agree?
-Sean
More information about the SGVLUG
mailing list