Thursday, September 12, 2013

Using “sudo” Without a Password

Todd C. Miller (via Dan Goodin):

The flaw may allow someone with physical access to a machine that is not password-protected to run sudo commands without knowing the logged in user’s password. On systems where sudo is the principal way of running commands as root, such as on Ubuntu and Mac OS X, there is a greater chance that the logged in user has run sudo before and thus that an attack would succeed.

The bug was reported in March. Mac OS X 10.8.5 ships with sudo 1.7.4p6, which would seem to be within the range of versions exhibiting the bug.

4 Comments RSS · Twitter

Mmm. The 10.8.5/security update 2013-004 release notes imply that they fixed the issue.

Quote: “This issue was addressed by checking for an invalid timestamp.”

@Philippe Hmm, I wonder why they patched it instead of updating to a newer version of sudo.

Apple almost never upgrades non-Apple software in major OS X versions — all it does is increase the testing burden.

(And by major, I meant minor/security updates. Sorry.)

Leave a Comment