_   _ _____ _     ___ _____ _   _
                   / / / / ____/ /   /  _/_  __/ / / /
                  / /_/ / __/ / /    / /  / / / /_/ /
                 / __  / /___/ /____/ /  / / / __  /
                /_/ /_/_____/_____/___/ /_/ /_/ /_/
                           Helith - 0815
--------------------------------------------------------------------------------

Author		 : Rembrandt
Date		 : 2010-03-17
Affected Software: sudo <= 1.7.2.p3
Affected OS	 : OpenBSD up to 4.7
		   Debian 5.0.4
		   Gentoo
		   any other OS using sudo (depending to default configuration)
Type		 : Local Authentication Bypass due to a design issue


sudo, in the default configuration, uses a token to remember if a user entered
the password. This token stays valid even if the user, who issued sudo, logged
off. An attacker which was able to access a system without knowing the user
password could abuse sudo until the time counter expires.

sudo is either compiled with a default value to specify the lifetime of the 
token or configured via /etc/sudoers to overwrite the default setting.

Example for default values:
OpenBSD - 5 minutes
Gentoo  - 5 minutes
Debian  - 15 minutes

Steps to reproduce:
$ ssh host
$ sudo application
[type in the password]
$ logoff
$ ssh host
$ sudo application

An attacker could check if a victim used sudo by parsing the shell history
or on wrong configured systems by checking the content of /var/run/sudo or
parsing /var/log/secure and gain a root shell in the worst case.
To prevent this threat add "timestamp_timeout 0" to your sudoers file or reduce
the lifetime of the timeout to a very low value like one or two minutes.
If your Operating System supports bsd_auth you should consider to use a one time
password system like s/key to enhance the security of sudo even more.

Thanks to Todd C. Miller for providing feedback and to Jericho who noticed
something similiar back in 1998.

In the worst case an attacker can take over a system without knowing a single
password. Today you can combine any non critical bug (web applications, SQL..)
with such insecure defaults to compromise a system.


Kind regards,
Rembrandt

Reference:
http://attrition.org/~jericho/works/security/bugtraq-01.html