Re: A simple temporary fix or am I missing something here?
But is a simple remediation just setting the /etc/sudoers file to be immutable?
Possibly, but since the bug allows you to append to any file, you'd be just whacking moles, figuratively speaking.
With the ability to append to any file, I could just write a new entry in the password file:
Then I could log in as user 'getroot' with no password, which should be effectively a synonym for the real root user.
Temporary fixes like this aren't really going to get you very far. Even if you lock down the most sensitive files, you just have to find a shell script that root will run at some point and that doesn't have an exit or exec command at the end of it. A quick check on my Debian system shows that /etc/cron.daily/0anacron fits the bill nicely. I could append something like:
cp /bin/bash $EVIL
chown root $EVIL
chmod +s $EVIL
Then I'd come back the following day and run my new setuid shell ...
bootnote: fucking stupid cloudflare filters kept telling me that I'd been blocked when I was trying to write the above. All because I mentioned "slash etc slash passwd", I think. You guys need to turn off that shit. How are we supposed to discuss articles if we can't even talk about a key *nix file?