Hooking graceful moments: A security analysis of Sudo session handling

Abstract

Sudo is a widely used utility program to temporarily provide the privileges of other users when executing shell commands in many UNIX and Linux systems. In conventional usage, a Sudo user who fulfills password authentication is eligible to execute a series of shell commands with system administrative privilege for a while. As Sudo enables privilege switchover, it has been the attractive target of attacks for privilege escalation in nature. Although Sudo source code have been reviewed by security researchers and patched accordingly, in this paper, we show that Sudo is still vulnerable to session hijacking attacks by which an attacker is able to achieve privilege escalation. We explain how such attacks are possible by spotlighting the inherently flawed session handling of Sudo. We also describe two attack designs - shell proxy and ticket reuse attack - by revisiting some known attack strategies. Our experimental results show that the recent versions of Sudo, in combination with the underlying shell program, are affected to the attack designs.