Jump to content
Login new information ×
Login new information
Donations campaign phase one 2024

Linux Distros Patch Dangerous Vulnerability in Sudo Command

CrAKeN

By CrAKeN
in Security & Privacy News

Recommended Posts

CrAKeN

CrAKeN

Posted
Posted

LinuxPenguin.png

 

Several Linux distros have issued updates to fix a vulnerability in Sudo, a Linux app behind the "sudo" command, which can allow an unprivileged attacker to gain root privileges.

 

The issue, tracked as CVE-2017-1000367, came to light two days ago when security researchers from Qualys published an advisory on the matter.

 

Researchers say that an attacker that is in the position to run bash commands can create malformed sudo commands that will allow him to overwrite any file on the system, even root-owned content. In other words, the attacker gains the root-level privileges.

 

Only systems with Sudo and SELinux are vulnerable


The issue doesn’t affect all Linux distros, but only where the SELinux is enabled, and sudo was built with SELinux support.

 

Todd C. Miller, the creator of the Sudo app, has acknowledged the issue and released an update. The vulnerability was fixed in sudo 1.8.20p1. Sudo versions between 1.8.6p7 and 1.8.20 are affected.

 

Sudo is bundled as a default app in many of today’s Linux distros. Red Hat, SUSE, Debian, and Ubuntu have released urgent security updates to address the issue.

 

Below is Qualys’ technical explanation for the flaw. Proof-of-concept exploit code is available in the company’s original advisory, here.

 

Quote

We discovered a vulnerability in Sudo's get_process_ttyname() for Linux: this function opens "/proc/[pid]/stat" (man proc) and reads the device number of the tty from field 7 (tty_nr). Unfortunately, these fields are space-separated and field 2 (comm, the filename of the command) can contain spaces (CVE-2017-1000367).

 

For example, if we execute Sudo through the symlink "./     1 ", get_process_ttyname() calls sudo_ttyname_dev() to search for the non-existent tty device number "1" in the built-in search_devs[]. Next, sudo_ttyname_dev() calls the function sudo_ttyname_scan() to search for this non-existent tty device number "1" in a breadth-first traversal of "/dev".

 

Last, we exploit this function during its traversal of the world-writable "/dev/shm": through this vulnerability, a local user can
pretend that his tty is any character device on the filesystem, and after two race conditions, he can pretend that his tty is any file on the filesystem.

 

On an SELinux-enabled system, if a user is Sudoer for a command that does not grant him full root privileges, he can overwrite any file on the filesystem (including root-owned files) with his command's output, because relabel_tty() (in src/selinux.c) calls open(O_RDWR|O_NONBLOCK) on his tty and dup2()s it to the command's stdin, stdout, and stderr.
This allows any Sudoer user to obtain full root privileges.

 

 

 

Source

Link to comment
Share on other sites
  • Views 482
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...