An evil person with e.g. a stolen SSH key can escalate privileges on a machine without needing the user's password. It's not simply about sudo working as designed, it allows bypassing sudo's user authentication entirely.
I can think of a handful of corporate machines (e.g. web servers) I've had pubkey access on where sudo allowed the real admin to gain root from the same account via sudo.
You mean, all of the NTP servers the machine uses. NTP will detect and reject a single server reporting bad time (assuming you have at least 3 servers configured, which is the recommendation).
You'd also have to do this when the NTP daemon first starts up, as:
-g Normally, ntpd exits with a message to the system log if the offset exceeds the panic
threshold, which is 1000 s by default. This option allows the time to be set to any value
without restriction; however, this can happen only once. If the threshold is exceeded after
that, ntpd will exit with a message to the system log. This option can be used with the -q
and -x options. See the tinker command for other options.
The NTP config on the machine would have to allow automatic changes without regard to the skew. I don't believe that is a default (or typically desired) configuration.
Can't the evil person with said access just wait until the person legitimately runs sudo? Today's exploit just allows the attack to happen more quickly, if the attacker happens to be able to change the time on the clock by a few billion seconds without escalated access.
I can think of a handful of corporate machines (e.g. web servers) I've had pubkey access on where sudo allowed the real admin to gain root from the same account via sudo.