[hnlmorg]

> And if the target uses sudo at all you don't even need an exploit!

Why would a target executable use sudo? There are proper mechanisms for automated elevation of permissions and sudo isn’t it.

sudo is designed for user interactivity. And by default prompts for a password. However some people get lazy and disable the password entry requirement.

[IshKebab]

A target user. If you get local code execution on the account of a user that uses sudo you can trivially got root. Doesn't matter if they disabled the password authentication or not.

[hnlmorg]

Of course it matters if they disabled password authentication. If you require password authentication when running sudo then an attacker has to find a RCE exploit and then crack a password. Which is waaay beyond any effort the average attacker is willing to invest. Because At that point, root access isn’t really worth the effort.

An attacker will probably just use the host for sending spam emails, bot / DDoS traffic or look for other daemons they can jump to which weren’t web accessible (eg a database).

And furthermore, if you’ve got a RCE in a daemon then that code is the running as the daemons’ user. Which shouldn’t be in the sudoers file (eg wheel group) to begin with.

[IshKebab]

> If you require password authentication when running sudo then an attacker has to find a RCE exploit and then crack a password.

Nope! Just alias sudo to something that logs the password.

[gamer191]

Interesting. If that’s possible (I haven’t tested it, but I’m sure it is) then you wouldn’t even need to log the password. You could just alias sudo to a bash script that runs your malicious payload using the real sudo. Then the user would run the command, be prompted for their password by the real sudo, and be none the wiser that a malicious script has just been executed

For what it’s worth, Windows’ security model says it’s not an exploit that programs can grant themselves admin rights if the user is an admin (https://github.com/hfiref0x/UACME). But afaik Linux doesn’t have that model so it is a bit of an issue that this is possible

[hnlmorg]

> Interesting. If that’s possible

It’s not possible. At least not unless those users have already borked their own system.

The previous poster was clutching at straws.

[IshKebab]

Of course it's possible. I've tried it. It works. It's just standard Unix features. What makes you think it isn't possible?

[hnlmorg]

How are you going to do that without write access to the users home directory?

Like I said before, your RCE exploit will be running as the user and group of the service you exploited. For example www:www

So you’re not going to be able to write into Joe Bloggs .bashrc file unless Joe was stupid enough to enable write permission to “other”. Which, once again, requires the user to purposely modify the system into being less secure than its default configuration

[IshKebab]

> your RCE exploit will be running as the user and group of the service you exploited. For example www:www

Only if the exploit is through a web server or similar. If it's through the user's web browser, email client, video player, etc. etc. then you'll have write access to their home directory.

[hnlmorg]

But thats not a daemon then. Thats a completely different type of exploit from the ones we were originally talking about.

Yes, if a desktop application has a bug then it can do damage. But at that point, who cares about sudo? The exploit already has access to your ssh keys, browser cookies and history (so can access banking and shopping sites), crypto-currency wallets and so on and so forth.

What an exploit has access to here is so much worse than getting root access on a desktop OS.