Silkenweb Example: Hackernews Clone

Sudo-rs' first security audit

62 points by Argorak 1 year ago | 59 comments

comex 1 year ago
> Description: The cargo release build does not strip symbols, so they will be included in the final binary. (..) Impact: Since the code is open source, there is not much information to be gained, but removing these symbols might make reverse engineering of the binary harder.
What a ridiculous finding.
I can try to steelman the argument. Sure, maybe "reverse engineering of the binary" is useless most of the time for an open source project because you can just look at the source code. But if there were hypothetically a memory corruption vulnerability in sudo-rs, then an attacker would want to identify the specific machine code corresponding to the vulnerable source, in order to determine how it could be exploited. That wouldn't be too hard to achieve without symbols, but symbols would definitely make it easier.
Except… even if the binary has symbols stripped, you can just `apt install sudo-rs-dbgsym`, or use debuginfod, to get the full debug info including symbols and DWARF records. Because distros provide that for all their packages. As a feature. To assist debugging.
Even if distros didn't distribute debug symbols, today's security best practices include reproducible builds, which means you should be able to rebuild the package yourself and get the exact same binary, plus the symbols.
So while it might save a tiny bit of disk space to strip the symbols, the security benefit is absolutely nil.
…Well, in theory anyway. In practice, Debian's sudo-rs package seems to be missing both a dbgsym package and reproducible build info. But that's a bug!
- Smaug123 1 year ago
  That is what "low" means as a vulnerability severity! "Low" means "you totally don't need to do anything about this".
  The reported property does make the attacker's job slightly harder, after all, since they need to go and work out where the symbols are rather than just having them right there in front of them.
  - comex 1 year ago
    The problem with the report isn’t just that it’s minor. The problem is that it’s directionally wrong. If the change makes life even slightly harder for attackers, then it makes life harder to exactly the same extent for legitimate users trying to debug their programs. The fact that debuginfo is widely distributed demonstrates that distros prioritize the benefits of debuggability over the benefits of obscurity, and there’s no reason that weighting should be different in the small versus in the large. So, if security and debuggability were the only concerns, debuggability should win and distro binaries should never be stripped. It just so happens that there is an unrelated concern, disk space, that justifies stripping them anyway, but that doesn’t justify characterizing the lack of stripping as a security flaw, not even an incredibly minor one.
- kaba0 1 year ago
  > Even if distros didn't distribute debug symbols, today's security best practices include reproducible builds, which means you should be able to rebuild the package yourself and get the exact same binary, plus the symbols
  Well, that’s why binary randomization/fuzzing is an important security research topic. If everyone would be running semantically identical, but not binary-identical programs, a ROP-based vulnerability would not be able to spread across computers, or in absence of the correct binary on the target device, it would be infeasible.
  - GauntletWizard 1 year ago
    This is the very definition of security through obscurity. If everyone were running "semantically identical, but not binary-identical programs" there would be debugging tools to automatically patch your patches for each target device.
    - kaba0 1 year ago
      How would that work with fuzzing at the compiler step, say, inlining a non-critical function at a place in one place but not in the other?
      This is a real security topic, don’t handwave it away without knowing about it.
- Kab1r 1 year ago
  You could also always compile it from source with the debug symbols even if it wasn't provided by a distro.
- mtlmtlmtlmtl 1 year ago
  If you can apt-get stuff, why would you be trying to exploit sudo? Even assuming apt-get was the only thing you could run as root, that would essentially allow arbitrary filesystem changes anyway. Escalating to full root from that would be trivial.
  - kaba0 1 year ago
    You can do that on an identical system you have access to. Then you discover the necessary vulnerability and apply it on the target system.
  - codetrotter 1 year ago
    You don’t need to be root to retrieve the debug symbols from apt if the debug symbols were in the apt repository
    Something like
```
    apt-get download sudo-rs-dbgsym

    mkdir -p ~/tmp/

    dpkg -x sudo-rs-dbgsym.deb ~/tmp/
```
    should provide what you need I think
- 3c6bYDXLMj 1 year ago
  Come off it. That’s what the severity rating is for. Anyone used to reading these sorts of reports comes to expect these things. And someone saying “all you have to do, is simply…” doesn’t change the fact that there’s suddenly more effort involved.
- 1 year ago
aliceryhl 1 year ago
I'm surprised that CLN-003 made the list even as low severity. It's intended to make reverse engineering of the binary harder, but the code is already freely accessible (and CLN-003 also acknowledges this).
- RcouF1uZ4gsC 1 year ago
  That vulnerability seems like something added to adhere to the rule of 3. In at least Western culture, we have this ingrained thing for groups of 3 - for example Trinity, 3 point outline, 3 sentences in a paragraph etc.
  It seems like this was picked to end up with 3 vulnerabilities so the security researchers can feel they did a complete job.
- thiht 1 year ago
  I see it as a note to be exhaustive. It’s the kind of thing if you don’t add it to your report, some smart ass WILL say something like « actually they forgot about the bin symbols, how could they miss this? ». There’s always someone like this.
g-b-r 1 year ago
The arbitrary delete vulnerability scared me at first, but are there really situations where a non-root user can create a new user??
- mtlmtlmtlmtl 1 year ago
  In practice, I doubt it. But sudo offers highly granular permission controls. You can permit a user to only run certain commands as root. So it is a real vuln in the sense that if you give someone that ability, you've now given them more than intended.
cedws 1 year ago
I just ran tokei in the sudo-rs repository and there's over 28,000 lines of code not including whitespace. The Rust rewrite is a good step forward but we should really be asking ourselves if we need all this complexity in something so critical.
OpenBSD's doas is 108 lines of C. sudo and doas are not equivalent in functionality, but it shows how simple things can really be.
https://github.com/openbsd/src/blob/master/distrib/special/d...
- eep_social 1 year ago
  Which parts are you thinking of removing? The goal is “to build a drop-in replacement for all common use cases of sudo” so the doas comparison doesn’t really follow.
  The fabulous article mentions that, “sudo-rs only has 3 dependencies in its dependency graph” so maybe they could trade loc for deps but that doesn’t seem wise to me.
  The audit found one moderate path traversal vulnerability which was also present in og sudo, so I’m not sure how your suggestion could be made practical.
  - cedws 1 year ago
    >Which parts are you thinking of removing?
    All of it. Seriously. doas demonstrates that sudo's primary function (running commands as another user) can be achieved in an order of magnitude less code and a significantly smaller attack surface.
    90% of people don't need more than that, they don't need all the bells and whistles that sudo offers. We aren't in the 90s running on mainframes anymore.
    As an aside, doas and sudo are conceptually broken from a security POV because the user's shell can be played with to elevate privileges. The real fix is dump doas and sudo entirely.
    - eep_social 1 year ago
      > conceptually broken
      I agree, but the goal of this particular project is to make sudo as safe as possible. Within the stated goal, I don’t think significant LOC reduction is a feasible side quest.
      Evangelizing the removal of sudo entirely is an interesting thought but given how widely deployed it is, I see a ton of value in having a sudo-rs stopgap between now and then.
    - joelthelion 1 year ago
      > As an aside, doas and sudo are conceptually broken from a security POV because the user's shell can be played with to elevate privileges. The real fix is dump doas and sudo entirely.
      Could you elaborate on this?
  - codetrotter 1 year ago
    > the doas comparison doesn’t really follow
    The real question is, do you really need everything that sudo can do? Or would doas be sufficient?
    On my FreeBSD servers, I install doas instead of sudo, and I have never once found myself missing any features in spite of having completely replaced sudo with doas on my FreeBSD servers.
    Replaced as in, I no longer even have sudo installed on my FreeBSD servers. I switched from sudo to doas cold turkey years ago and haven’t looked back.
    (On Linux I still use sudo, but that is simply because it comes pre-installed on the Linux distros I use so I haven’t bothered to install doas instead there.)
    doas does exactly what I need; run the following command as root.
    - eep_social 1 year ago
      Right, I’d speculate that removing sudo for doas is a heavy but feasible lift at the distro level. But as I said elsethread, I’m also very interested in an as-safe-as-possible replacement between now and then. Removing the need entirely (as they are both conceptually broken) seems like a huge lift that’s probably not feasible without fundamental changes. Could it be done within POSIX? IDK but I’d guess not.
    - e12e 1 year ago
      Users and groups (auth/autz) via kerberos/ldap/active directory? Radius?
      Not something "most users" would need - and probably handled in Pam, not sudo - but it's one thing that comes to mind.
    - inferiorhuman 1 year ago
      On FreeBSD the only thing I miss from sudo is the credential caching. I believe opendoas uses the same fairly portable method that sudo does. doas uses an OpenBSD-specific API.
  - technion 1 year ago
    I think the one moderate vulnerability is an example of this. I have serious doubts about anyone having wanted to use that remove timestamps parameter in 2023. I'd be surprised if many people know it exists.
    I more surprised an os would let you make a user with "../../" in the name though. I'd bet a heap of things would break. A while back I saw a guy name his windows desktop with an emoji and all sorts of software fell over.
    - cedws 1 year ago
      >A while back I saw a guy name his windows desktop with an emoji and all sorts of software fell over.
      Presumably all of it was written in languages built on old assumptions that a single character is one byte.
    - Karellen 1 year ago
      > I more surprised an os would let you make a user with "../../" in the name though.
      There may be protections at some levels, but eventually a username is just an entry in a database. Admittedly, you do have to be on the other side of the airtight hatchway to do it, but modifying a line in /etc/passwd to have the field before the first ":" be "../../" is something the os can't really do much about once it's there.
    - eep_social 1 year ago
      Funny enough, my iphone has an emoji-only name and everything seems to work. I haven’t dared try with a machine I might want to ssh into though.
- xerxes901 1 year ago
  This doesn’t really change your conclusion, but I think that’s the wrong file. This is the real doas afaict: https://github.com/openbsd/src/blob/master/usr.bin/doas/doas...
  Still just a tidy 1072 lines in that folder though.
  I spent 5 minutes staring at your file trying to understand how on earth it does the things in the man page, but of course it doesn’t.
  - cedws 1 year ago
    Thanks, you're right. I was surprised how sparse it was.
- wrs 1 year ago
  It would be great to have an educational effort to that effect: if you don’t need sudo, use doas.
  However, there are about six billion* things in existence right now that use sudo, so it’s a good idea to make sudo safer as well.
  * rhetorical statistic
- biorach 1 year ago
  > we should really be asking ourselves if we need all this complexity in something so critical
  What is all the complexity? What is all the extra functionality that sudo offers?
  - Karellen 1 year ago
    The ability to specify limited groups of commands that a subset of users can run, among other things.
    The "Examples" section of the sudoers(5) man page is probably a good place to start to get an idea of the sorts of ways it can be configured
    https://manpages.debian.org/bookworm/sudo/sudoers.5.en.html#...
  - ahefner 1 year ago
    So I inherited a machine in our lab last week (not a "production" or "test" server, just a random machine being used as a dev environment) and decided to change its hostname using systemd's hostnamectl. Subsequently every attempt to execute a command via 'sudo' caused it to hang for multiple tens of seconds before declaring it couldn't resolve the new (nonexistent, entirely local) hostname. This persisted until I eventually fixed the /etc/hosts file which the systemd thing had failed to do, and I still don't know why sudo wanted to look up this hostname over the network, or what bad things could've happened if one of the configured DNS servers had maliciously replied for it.
    - g-b-r 1 year ago
      Have you checked the sudoers?
  - trclst 1 year ago
    sudoedit would be an example.
  - cedws 1 year ago
    Good question, never used it.
- 0xbadcafebee 1 year ago
  You can live a really simple life if you just stop using computers.
  Simple isn't always better.
- 1 year ago
0xbadcafebee 1 year ago
```
  CLN-001: relative path traversal vulnerability (moderate)

  During the audit, it came to light that the original sudo implementation was also affected by this issue, although with a lower security severity due to their use of the openat function.
```
I thought Rust was secure? How is it possible to write a program in Rust and still have the same security vulnerabilities, and actually be higher severity?
It's almost as if changing to an entirely new programming language and ecosystem isn't enough to make a secure application, and that you still have to try hard to secure it, regardless of the language.
How interesting.
- ncallaway 1 year ago
  > It's almost as if changing to an entirely new programming language and ecosystem isn't enough to make a secure application, and that you still have to try hard to secure it, regardless of the language.
  Has anyone argued that switching to Rust alone is sufficient to stop all security vulnerabilities?
  Has anyone suggested that switching to Rust means you no longer need to do any work to write secure applications?
  It seems to me you're arguing against a totally self-constructed straw-man.
- dataking 1 year ago
  This is a logic error whereas Rust delivers a way to drive down memory errors (assuming parent comment isn't mocking Rust advocates).
- viraptor 1 year ago
  That's a low quality troll. Nobody was saying rust solves all security issues.
  - 0xbadcafebee 1 year ago
    It's hilarious that people invented an entirely new language to prevent a single attack vector. That's like learning Perl because it has no buffer overflows.
    - viraptor 1 year ago
      Come on, you're not even good at this. Have you considered doing something productive with your time instead?
- 1 year ago