Beefy Boxes and Bandwidth Generously Provided by pair Networks
"be consistent"
 
PerlMonks  

Greetings and salutations | sudo

by zentara (Archbishop)
on Feb 05, 2020 at 19:39 UTC ( #11112448=perlquestion: print w/replies, xml ) Need Help??

zentara has asked for the wisdom of the Perl Monks concerning the following question:

My Perl brain never dies. I was looking at the perl code used to break a misconfigured sudo installation at https://thehackernews.com/2020/02/sudo-linux-vulnerability.html

The code being

perl -e 'print(("A"x 100 . "\x{00}") x 50)' | sudo -S id
So, in the interest of all good programmers everywhere, what would be the best defense against a buffer overflow, as shown above? How would one most efficiently and effectively take login information so the c libraries below, or Perl itself, are not locked up? If you were taking that sudo input pipe with perl code, how would you stop a code lockup with Perl as an input filter?

I would write the code myself, but remember, laziness is a virtue, :-)

BTW I still see Perl as the best tool for bizarre code magic, and I've yet to really see it fail me when using it, whearas Python mixups between 2.7 and 3.5 ,pip, pip3, WTK******??????? x 50 just is off the wall crazy. Nothing works as good as CPAN. And remember, Perl comes with Perl/Tk and Perl/GTK2 which have much smaller footprints and libraries loaded that the other bloatware graphics coding schemes. :-) All the libraries come standard in most distros, same libs firefox uses.

.... in the immortal words of Winston Churchill, KBO.... I'm still alive in my cave...


I'm not really a human, but I play one on earth. ..... an animated JAPH

Replies are listed 'Best First'.
Re: Greetings and salutations | sudo
by bliako (Parson) on Feb 07, 2020 at 11:49 UTC

    If I understand your post right, you want to use Perl to stop buffer overflow or other vulnerabilities in unrelated binaries.

    If that's right, then as I see it, you either run said binaries and Perl pipes input to them, as you demonstrate.

    Or have Perl spawn them (e.g. via a system) but within a special sandbox (this is very abstract, I am not sure how to do that).

    The latter case is interesting because it can check the binary for vulnerabilities before spawning it. Like here: https://stackoverflow.com/a/8783198 . In fact, there must be a tool already for scanning executables or source code for such vulnerabilities, given all this "AI" hype, even if very mechanistic and limited. For one, gcc warns me about copying larger data onto fixed-size arrays.

    bw, bliako

      Thank you bliako, nice answer. I was thinking along the lines of using Perl to check the input length of the entry data, and reject it if it is longer than X many bytes.

      I'm not really a human, but I play one on earth. ..... an animated JAPH

        Then you may want to keep a database of buffer overflow sizes for each of these poisoned applications. Hehe! Be prepared for lots and lots of entries ... unfortunately. This latest sudo/linux vulnerability to go unnoticed for several years plus all the promotion of sudo (virtually every single howto page for OSX/Linux will mention sudo at least 10 times. Some will even say "sudo here is not necessary but it will do no harm".) makes me very sceptical, elevates my usually high scepticality factor by an order of magnitude. Or two.

        On the other hand I present ... PerlOS - and no that's not this.

        bw, bliako

Re: Greetings and salutations | sudo
by Anonymous Monk on Feb 05, 2020 at 23:37 UTC
    -fstack-protector-all doesn't catch it ?
Re: Greetings and salutations | sudo
by Anonymous Monk on Feb 06, 2020 at 14:31 UTC
    Maybe start by always making sure that you're using an account that can't sudo?
      The problem is that almost all distros are forcing users to use sudo now. Even Kali Linux is now requiring the use of sudo. When I run the exploit on my Slackware linux install, I just get a message "be considerate of other users". :-)

      I'm not really a human, but I play one on earth. ..... an animated JAPH
        The problem is that almost all distros are forcing users to use sudo now.

        What are the alternatives?

        • Handing out the root password to everyone needing it?
        • Using su? Full, unrestricted root for everyone? That's nearly as evil as handing out the root password.
        • Using doas? The latter looks good, but is BSD-only.

        sudo was designed to be safe, including restricting users to run only some commands as root, and optional logging. But it became too complex when it tried to prevent subshells running as root, e.g by injecting libraries (IIRC) and by filtering command parameters.

        Using sudo just as a prefix for any command to be run as root is syntactically correct, but in this very common default configuration it is nothing more than a su replacement asking for the user password instead of the root password for all people being part of the wheel group (sudo group on Debian, because wheel is evil for some strange reason).

        A safe sudo configuration is possible, but it requires a lot of time thinking through the capabilities of the sudo configuration. See below.

        This particular exploit breaks a completely nonsense feature, echoing a * for every character of the password typed in, which is OFF by default. Linux distributions became vulnerable to this exploit when they messed with the configuration of sudo.

        sudo has a problem: Too many features. doas fixes that for *BSD.

        sudo has two other problems: An unusual config file format and a man page for that starts with "how to read this manual". https://xkcd.com/1343/. My favorite heading is "Quick guide to EBNF". Yes, it may be technically correct, but it is on the far right side of the xkcd.

        Alexander

        --
        Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

      Good one, mike. Talk about missing the point. :eyeroll:

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://11112448]
Approved by Corion
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others browsing the Monastery: (3)
As of 2020-07-05 21:10 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?