Sudo Caching
The sudo
command "allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments." (Citation: sudo man page 2018) Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout
that is the amount of time in minutes between instances of sudo
before it will re-prompt for a password. This is because sudo
has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo
with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets
variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).
Adversaries can abuse poor configurations of this to escalate privileges without needing the user's password. /var/db/sudo
's timestamp can be monitored to see if it falls within the timestamp_timeout
range. If it does, then malware can execute sudo commands without needing to supply the user's password. When tty_tickets
is disabled, adversaries can do this from any tty for that user.
The OSX Proton Malware has disabled tty_tickets
to potentially make scripting easier by issuing echo \'Defaults !tty_tickets\' >> /etc/sudoers
(Citation: cybereason osx proton). In order for this change to be reflected, the Proton malware also must issue killall Terminal
. As of macOS Sierra, the sudoers file has tty_tickets
enabled by default.
Mitigations |
|
Mitigation | Description |
---|---|
Privileged Account Management |
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root. |
Sudo Caching Mitigation |
Setting the |
Operating System Configuration |
Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques. |
Detection
This technique is abusing normal functionality in macOS and Linux systems, but sudo has the ability to log all input and output based on the LOG_INPUT
and LOG_OUTPUT
directives in the /etc/sudoers
file.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.