sudo icon indicating copy to clipboard operation
sudo copied to clipboard
verified publisher icon microsoft

Doesn't check that the RPC call is from Sudo?

Open aaronliu0130 opened this issue 1 year ago • 0 comments

Sudo for Windows version

0.1.6

Windows build number

10.0.26052.0

Other Software

No response

Steps to reproduce

see below

Expected Behavior

No response

Actual Behavior

Haven't had time to test this out yet, but according to https://www.tiraniddo.dev/2024/02/sudo-on-windows-quick-rundown.html, sudo accepts any RPC call when in the background and doesn't check if it originates from sudo.

There are no checks for the caller’s PID to make sure it’s really the non-elevated sudo making the request. As long as the RPC server is running you can make the call. Finding the ALPC port is easy enough, you can just enumerate all the ALPC ports in \RPC Control to find them.

The code doesn’t provide a security descriptor for the ALPC port and it calls RpcServerRegisterIf to register the server, which should basically never be used. This old function doesn’t allow you to specify a security descriptor or a security callback. What this means is that any user on the same system can connect to this service and execute sudo commands.

aaronliu0130 avatar Feb 11 '24 04:02 aaronliu0130