556649 - Sudo Functionality Notification to User Can Be Bypassed

Status: RESOLVED DUPLICATE of bug 450013

(Bugzilla :: User Accounts, defect)

Description

[Michael Coates [:mcoates] (acct no longer active)]

By design, users within the group bz_sudoers are able to impersonate another user account. A checks and balance control is in place that automatically notifies the impersonated user that their account has been accessed by the initiating user. However, it is possible to essentially bypass this notification and invisibly take control of a user account without any notification to the user.

Issue:
After a user of bz_sudoers has established a sudo session of a user account the account id for the user is stored as a cookie within the sudo'ers browser (e.g. sudo=3). At this point the sudo'er can modify the cookie and obtain control of any user id by modifying the integer appropriately (with the exception of users in the group 'bz_sudo_protect').  Since the sudo'er is already past the notification stage the target user does not receive an email that their account has been sudo'ed.

Note: This was confirmed within landfill click-to-try version of bugzilla. There is a chance that the current version at bugzilla.mozilla.org could differ and nullify this issue (I don't have bz_sudoers access to test).

Potential Attack:
This flaw could be leveraged by a malicious insider. It should be noted that members of the bz_sudoer group are likely to be very trusted and the likelihood of an attack here is very low. However, a malicious admin could add themselves to the bz_sudoers group, take control of a benign 2nd account they control, and then modify the cookie to access any other users in the system - perhaps obtaining access to groups or bugs that were otherwise unavailable.

Remediation Recommendation
Investigate if the id cookie containing the sudo'ed user id can be stored server side within the user's session. This would prevent unauthorized modification by the user.

Comment 2

[Frédéric Buclin]

Fixed