[Iftop-users] Security Issue With iftop

Ali Jawad alijawad1 at gmail.com
Tue, 19 Jan 2010 01:56:09 +0300 

--000e0cd1d6ea8626ca047d7843cd
Content-Type: text/plain; charset=ISO-8859-1

Just to be fair, even text editor do allow for such functionality. The
simplest way to deal with this is to make use of the noexec functionality of
sudo. It does prevent a process from spawning a shell.

On Mon, Jan 18, 2010 at 9:34 PM, Ali Jawad <alijawad1@gmail.com> wrote:

> Hi Paul
> I discovered it by accident, and well you are right about bugs for
> privilege escalation. But this is not a bug, it is a feature that can be
> used for privilege escalation.
> I did google around and as you said it is barely known. I can see the
> benefits of the feature, to see live changes in traffic shapping by
> executing different traffic shapping scripts through the commad prompts and
> seeing the results.
>
> For my own needs, I will remove the deb package and recompile from source.
>
> Regards
>
>
> On Mon, Jan 18, 2010 at 9:24 PM, Paul Warren <pdw@ex-parrot.com> wrote:
>
>> Ali,
>>
>>
>> On 18 Jan 2010, at 16:35, Ali Jawad wrote:
>>
>>  As you all know a non root user can not run iftop. So the most obvious
>>> workaround is to use sudo. Now if you give a regular user sudo access he
>>> will execute.
>>>
>>> sudo iftop
>>>
>>> Once he is inside iftop. He can execute ! he will get the following
>>> promtp
>>>
>>> command >
>>>
>>
>> I have to say, I'd completely forgotten that that feature existed!
>>
>>
>>  At this point a user can execute su, and he will get a root shell. He can
>>> also execute any command in privileged mode. The idea of using sudo
>>> initially was giving the user iftop access. However the user ends up with
>>> total root access.
>>>
>>
>> Indeed.
>>
>> There are two answers to this.  The first is that although this provides
>> the user with a very direct and simple way of getting a shell, I would not
>> warrant that there are not bugs in either iftop or any of it's library
>> dependencies that can be exploited to give privilege escalation.  This
>> applies to just about any non-trivial program that you may wish to make
>> available via sudo.
>>
>> The second answer is that there's a compile-time option to disable this
>> functionality (which I'd also forgotten about, but the change log claims it
>> was introduced in 0.17).
>>
>> I can't remember exactly how to use it, but something like:
>>
>>        export CFLAGS=-DNO_SYSTEM
>>
>> then rebuilding may do what you want.
>>
>> Paul
>>
>>
>

--000e0cd1d6ea8626ca047d7843cd
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Just to be fair, even text editor do allow for such functi=
onality. The simplest way to deal with this is to make use of the noexec fu=
nctionality of sudo. It does prevent a process from spawning a shell.<br><b=
r>

<div class=3D"gmail_quote">On Mon, Jan 18, 2010 at 9:34 PM, Ali Jawad <span=
 dir=3D"ltr">&lt;<a href=3D"mailto:alijawad1@gmail.com">alijawad1@gmail.com=
</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"border=
-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-lef=
t: 1ex;">

<div dir=3D"ltr">Hi Paul<br>I discovered it by accident, and well you are r=
ight about bugs for privilege escalation. But this is not a bug, it is a fe=
ature that can be used for privilege escalation.<br>I did google around and=
 as you said it is barely known. I can see the benefits of the feature, to =
see live changes in traffic shapping by executing different traffic shappin=
g scripts through the commad prompts and seeing the results.<br>


<br>For my own needs, I will remove the deb package and recompile from sour=
ce.<br><br>Regards<div><div></div><div class=3D"h5"><br><br><div class=3D"g=
mail_quote">On Mon, Jan 18, 2010 at 9:24 PM, Paul Warren <span dir=3D"ltr">=
&lt;<a href=3D"mailto:pdw@ex-parrot.com" target=3D"_blank">pdw@ex-parrot.co=
m</a>&gt;</span> wrote:<br>


<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Ali,<div><br>
<br>
On 18 Jan 2010, at 16:35, Ali Jawad wrote:<br>
<br>
<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
As you all know a non root user can not run iftop. So the most obvious work=
around is to use sudo. Now if you give a regular user sudo access he will e=
xecute.<br>
<br>
sudo iftop<br>
<br>
Once he is inside iftop. He can execute ! he will get the following promtp<=
br>
<br>
command &gt;<br>
</blockquote>
<br></div>
I have to say, I&#39;d completely forgotten that that feature existed!<div>=
<br>
<br>
<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
At this point a user can execute su, and he will get a root shell. He can a=
lso execute any command in privileged mode. The idea of using sudo initiall=
y was giving the user iftop access. However the user ends up with total roo=
t access.<br>



</blockquote>
<br></div>
Indeed.<br>
<br>
There are two answers to this. =A0The first is that although this provides =
the user with a very direct and simple way of getting a shell, I would not =
warrant that there are not bugs in either iftop or any of it&#39;s library =
dependencies that can be exploited to give privilege escalation. =A0This ap=
plies to just about any non-trivial program that you may wish to make avail=
able via sudo.<br>



<br>
The second answer is that there&#39;s a compile-time option to disable this=
 functionality (which I&#39;d also forgotten about, but the change log clai=
ms it was introduced in 0.17).<br>
<br>
I can&#39;t remember exactly how to use it, but something like:<br>
<br>
 =A0 =A0 =A0 =A0export CFLAGS=3D-DNO_SYSTEM<br>
<br>
then rebuilding may do what you want.<br><font color=3D"#888888">
<br>
Paul<br>
<br>
</font></blockquote></div><br></div></div></div>
</blockquote></div><br></div>

--000e0cd1d6ea8626ca047d7843cd--