Vulnerabilities > CVE-2017-1000367 - Race Condition vulnerability in Sudo Project Sudo
Attack vector
LOCAL Attack complexity
HIGH Privileges required
HIGH Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Todd Miller's sudo version 1.8.20 and earlier is vulnerable to an input validation (embedded spaces) in the get_process_ttyname() function resulting in information disclosure and command execution.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging Race Conditions This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
- Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Exploit-Db
| description | Sudo - 'get_process_ttyname()' Privilege Escalation. CVE-2017-1000367. Local exploit for Linux platform |
| file | exploits/linux/local/42183.c |
| id | EDB-ID:42183 |
| last seen | 2017-06-16 |
| modified | 2017-06-14 |
| platform | linux |
| port | |
| published | 2017-06-14 |
| reporter | Exploit-DB |
| source | https://www.exploit-db.com/download/42183/ |
| title | Sudo - 'get_process_ttyname()' Privilege Escalation |
| type | local |
Nessus
NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2017-0021.NASL description An update of [zlib,bindutils,ruby,krb5,sudo] packages for PhotonOS has been released. last seen 2019-02-21 modified 2019-02-07 plugin id 111870 published 2018-08-17 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=111870 title Photon OS 1.0: Bindutils / Krb5 / Ruby / Sudo / Zlib PHSA-2017-0021 (deprecated) code # # (C) Tenable Network Security, Inc. # # @DEPRECATED@ # # Disabled on 2/7/2019 # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory PHSA-2017-0021. The text # itself is copyright (C) VMware, Inc. include("compat.inc"); if (description) { script_id(111870); script_version("1.3"); script_cvs_date("Date: 2019/04/05 23:25:07"); script_cve_id( "CVE-2016-2776", "CVE-2016-3120", "CVE-2016-9841", "CVE-2016-9843", "CVE-2016-1000368", "CVE-2017-9224", "CVE-2017-9225", "CVE-2017-9227", "CVE-2017-9229", "CVE-2017-1000367", "CVE-2017-1000368" ); script_name(english:"Photon OS 1.0: Bindutils / Krb5 / Ruby / Sudo / Zlib PHSA-2017-0021 (deprecated)"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "This plugin has been deprecated."); script_set_attribute(attribute:"description", value: "An update of [zlib,bindutils,ruby,krb5,sudo] packages for PhotonOS has been released."); # https://github.com/vmware/photon/wiki/Security-Updates-51 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?11072ed6"); script_set_attribute(attribute:"solution", value:"n/a."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-2776"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"patch_publication_date", value:"2017/06/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/17"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:bindutils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:krb5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:ruby"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:sudo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:zlib"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:1.0"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"PhotonOS Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list"); exit(0); } exit(0, "This plugin has been deprecated."); include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/PhotonOS/release"); if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS"); if (release !~ "^VMware Photon (?:Linux|OS) 1\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 1.0"); if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu); flag = 0; pkgs = [ "bindutils-9.10.4-2.ph1", "bindutils-debuginfo-9.10.4-2.ph1", "krb5-1.14-6.ph1", "krb5-debuginfo-1.14-6.ph1", "ruby-2.4.0-3.ph1", "ruby-debuginfo-2.4.0-3.ph1", "sudo-1.8.20p2-1.ph1", "sudo-debuginfo-1.8.20p2-1.ph1", "zlib-1.2.8-5.ph1", "zlib-debuginfo-1.2.8-5.ph1", "zlib-devel-1.2.8-5.ph1" ]; foreach (pkg in pkgs) if (rpm_check(release:"PhotonOS-1.0", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bindutils / krb5 / ruby / sudo / zlib"); }NASL family Fedora Local Security Checks NASL id FEDORA_2017-8B250EBE97.NASL description - update to 1.8.20p2 - added sudo package to dnf/yum protected packages ---- - update to 1.8.20p1 - fixes CVE-2017-1000367 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-07-17 plugin id 101680 published 2017-07-17 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101680 title Fedora 26 : sudo (2017-8b250ebe97) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2017-8b250ebe97. # include("compat.inc"); if (description) { script_id(101680); script_version("3.8"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-1000367"); script_xref(name:"FEDORA", value:"2017-8b250ebe97"); script_name(english:"Fedora 26 : sudo (2017-8b250ebe97)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: " - update to 1.8.20p2 - added sudo package to dnf/yum protected packages ---- - update to 1.8.20p1 - fixes CVE-2017-1000367 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-8b250ebe97" ); script_set_attribute(attribute:"solution", value:"Update the affected sudo package."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:sudo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:26"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/06/05"); script_set_attribute(attribute:"patch_publication_date", value:"2017/06/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/17"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^26([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 26", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC26", reference:"sudo-1.8.20p2-1.fc26")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "sudo"); }NASL family Virtuozzo Local Security Checks NASL id VIRTUOZZO_VZLSA-2017-1574.NASL description An update for sudo is now available for Red Hat Enterprise Linux 5 Extended Lifecycle Support, Red Hat Enterprise Linux 6, and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es) : * It was found that the original fix for CVE-2017-1000367 was incomplete. A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000368) Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 101486 published 2017-07-13 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101486 title Virtuozzo 6 : sudo / sudo-devel (VZLSA-2017-1574) NASL family Amazon Linux Local Security Checks NASL id AL2_ALAS-2019-1315.NASL description When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295. This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification. (CVE-2019-14287) Further details can be found here: https://www.sudo.ws/alerts/minus_1_uid.html A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root.(CVE-2017-1000367) It was found that the original fix for CVE-2017-1000367 was incomplete. A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root.(CVE-2017-1000368) last seen 2020-06-01 modified 2020-06-02 plugin id 129851 published 2019-10-15 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129851 title Amazon Linux 2 : sudo (ALAS-2019-1315) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2017-855.NASL description It was found that the original fix for CVE-2017-1000367 was incomplete. A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000368) last seen 2020-06-01 modified 2020-06-02 plugin id 101272 published 2017-07-07 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/101272 title Amazon Linux AMI : sudo (ALAS-2017-855) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2017-1382.NASL description From Red Hat Security Advisory 2017:1382 : An update for sudo is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es) : * A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000367) Red Hat would like to thank Qualys Security for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 100528 published 2017-05-31 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100528 title Oracle Linux 6 / 7 : sudo (ELSA-2017-1382) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1450-1.NASL description This update for sudo fixes the following issues: CVE-2017-1000367 : - Due to incorrect assumptions in /proc/[pid]/stat parsing, a local attacker can pretend that his tty is any file on the filesystem, thus gaining arbitrary file write access on SELinux-enabled systems. [bsc#1039361] - Fix FQDN for hostname. [bsc#1024145] - Filter netgroups, they aren last seen 2020-06-01 modified 2020-06-02 plugin id 100543 published 2017-05-31 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100543 title SUSE SLED12 / SLES12 Security Update : sudo (SUSE-SU-2017:1450-1) NASL family Scientific Linux Local Security Checks NASL id SL_20170530_SUDO_ON_SL6_X.NASL description Security Fix(es) : - A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000367) last seen 2020-03-18 modified 2017-05-31 plugin id 100537 published 2017-05-31 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100537 title Scientific Linux Security Update : sudo on SL6.x, SL7.x i386/x86_64 (20170530) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1446-1.NASL description This update for sudo fixes the following issues: CVE-2017-1000367 : - Due to incorrect assumptions in /proc/[pid]/stat parsing, a local attacker can pretend that his tty is any file on the filesystem, thus gaining arbitrary file write access on SELinux-enabled systems. [bsc#1039361] - Fix FQDN for hostname. [bsc#1024145] - Filter netgroups, they aren last seen 2020-06-01 modified 2020-06-02 plugin id 100542 published 2017-05-31 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100542 title SUSE SLED12 / SLES12 Security Update : sudo (SUSE-SU-2017:1446-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1627-1.NASL description This update for sudo fixes the following issues : - CVE-2017-1000368: A follow-up fix to CVE-2017-1000367, the Linux process name could also contain a newline, which could be used to trick sudo to read/write to an arbitrary open terminal. (bsc#1042146) Also the following non security bug was fixed : - Link the last seen 2020-06-01 modified 2020-06-02 plugin id 100953 published 2017-06-21 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100953 title SUSE SLES12 Security Update : sudo (SUSE-SU-2017:1627-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1449.NASL description According to the versions of the sudo package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - It was found that the original fix for CVE-2017-1000367 was incomplete. A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root.(CVE-2017-1000368) - A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root.(CVE-2017-1000367) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 124952 published 2019-05-14 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124952 title EulerOS Virtualization 3.0.1.0 : sudo (EulerOS-SA-2019-1449) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-1574.NASL description An update for sudo is now available for Red Hat Enterprise Linux 5 Extended Lifecycle Support, Red Hat Enterprise Linux 6, and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es) : * It was found that the original fix for CVE-2017-1000367 was incomplete. A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000368) last seen 2020-06-01 modified 2020-06-02 plugin id 101023 published 2017-06-23 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101023 title RHEL 6 / 7 : sudo (RHSA-2017:1574) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-1381.NASL description An update for sudo is now available for Red Hat Enterprise Linux 5 Extended Lifecycle Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es) : * A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000367) Red Hat would like to thank Qualys Security for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 100587 published 2017-06-02 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100587 title RHEL 5 : sudo (RHSA-2017:1381) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2017-1106.NASL description According to the version of the sudo package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000367) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2017-06-09 plugin id 100699 published 2017-06-09 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100699 title EulerOS 2.0 SP1 : sudo (EulerOS-SA-2017-1106) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2017-1381.NASL description From Red Hat Security Advisory 2017:1381 : An update for sudo is now available for Red Hat Enterprise Linux 5 Extended Lifecycle Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es) : * A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000367) Red Hat would like to thank Qualys Security for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 100613 published 2017-06-05 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/100613 title Oracle Linux 5 : sudo (ELSA-2017-1381) NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-744.NASL description This update for sudo fixes the following security issue : - CVE-2017-1000368: A follow-up fix to CVE-2017-1000367, the Linux process name could also contain a newline, which could be used to trick sudo to read/write to an arbitrary open terminal. (bsc#1042146) Also the following non security bug was fixed : - Link the last seen 2020-06-05 modified 2017-06-30 plugin id 101137 published 2017-06-30 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101137 title openSUSE Security Update : sudo (openSUSE-2017-744) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3304-1.NASL description It was discovered that Sudo did not properly parse the contents of /proc/[pid]/stat when attempting to determine its controlling tty. A local attacker in some configurations could possibly use this to overwrite any file on the filesystem, bypassing intended permissions. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 100549 published 2017-05-31 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100549 title Ubuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : sudo vulnerability (USN-3304-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-1382.NASL description An update for sudo is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es) : * A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000367) Red Hat would like to thank Qualys Security for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 100534 published 2017-05-31 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100534 title RHEL 6 / 7 : sudo (RHSA-2017:1382) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2017-0125.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - Fix (CVE-2017-1000368) - Fix (CVE-2017-1000367) last seen 2020-06-01 modified 2020-06-02 plugin id 102063 published 2017-07-31 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102063 title OracleVM 3.2 : sudo (OVMSA-2017-0125) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2017-1121.NASL description According to the version of the sudo package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - It was found that the original fix for CVE-2017-1000367 was incomplete. A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000368) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2017-07-10 plugin id 101309 published 2017-07-10 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101309 title EulerOS 2.0 SP2 : sudo (EulerOS-SA-2017-1121) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2017-1574.NASL description From Red Hat Security Advisory 2017:1574 : An update for sudo is now available for Red Hat Enterprise Linux 5 Extended Lifecycle Support, Red Hat Enterprise Linux 6, and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es) : * It was found that the original fix for CVE-2017-1000367 was incomplete. A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000368) last seen 2020-06-01 modified 2020-06-02 plugin id 101022 published 2017-06-23 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101022 title Oracle Linux 6 / 7 : sudo (ELSA-2017-1574) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2017-150-01.NASL description New sudo packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix a security issue. last seen 2020-06-01 modified 2020-06-02 plugin id 100512 published 2017-05-31 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100512 title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : sudo (SSA:2017-150-01) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201705-15.NASL description The remote host is affected by the vulnerability described in GLSA-201705-15 (sudo: Privilege escalation) Qualys discovered a vulnerability in sudo’s get_process_ttyname() for Linux, that via sudo_ttyname_scan() can be directed to use a user-controlled, arbitrary tty device during its traversal of “/dev” by utilizing the world-writable /dev/shm. For further information, please see the Qualys Security Advisory Impact : A local attacker can pretend that his tty is any character device on the filesystem, and after two race conditions, an attacker can pretend that the controlled tty is any file on the filesystem allowing for privilege escalation Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 100523 published 2017-05-31 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100523 title GLSA-201705-15 : sudo: Privilege escalation NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-636.NASL description This update for sudo fixes the following issues : CVE-2017-1000367 : - Due to incorrect assumptions in /proc/[pid]/stat parsing, a local attacker can pretend that his tty is any file on the filesystem, thus gaining arbitrary file write access on SELinux-enabled systems. [bsc#1039361] - Fix FQDN for hostname. [bsc#1024145] - Filter netgroups, they aren last seen 2020-06-05 modified 2017-05-31 plugin id 100524 published 2017-05-31 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100524 title openSUSE Security Update : sudo (openSUSE-2017-636) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2017-1574.NASL description An update for sudo is now available for Red Hat Enterprise Linux 5 Extended Lifecycle Support, Red Hat Enterprise Linux 6, and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es) : * It was found that the original fix for CVE-2017-1000367 was incomplete. A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000368) last seen 2020-06-01 modified 2020-06-02 plugin id 101005 published 2017-06-23 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101005 title CentOS 6 / 7 : sudo (CESA-2017:1574) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2017-843.NASL description A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000367) last seen 2020-06-01 modified 2020-06-02 plugin id 100644 published 2017-06-07 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100644 title Amazon Linux AMI : sudo (ALAS-2017-843) NASL family Fedora Local Security Checks NASL id FEDORA_2017-54580EFA82.NASL description - update to 1.8.20p2 - added sudo package to dnf/yum protected packages ---- - update to 1.8.20p1 - fixes CVE-2017-1000367 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-06-05 plugin id 100605 published 2017-06-05 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100605 title Fedora 25 : sudo (2017-54580efa82) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-970.NASL description The Qualys Security team discovered that sudo, a program designed to provide limited super user privileges to specific users, does not properly parse last seen 2020-03-17 modified 2017-05-31 plugin id 100519 published 2017-05-31 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100519 title Debian DLA-970-1 : sudo security update NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3867.NASL description The Qualys Security team discovered that sudo, a program designed to provide limited super user privileges to specific users, does not properly parse last seen 2020-06-01 modified 2020-06-02 plugin id 100521 published 2017-05-31 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100521 title Debian DSA-3867-1 : sudo - security update NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2017-0110.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - Fixes (CVE-2017-1000367) Resolves: rhbz#1455399 - Update noexec syscall blacklist - Fixes (CVE-2016-7032, CVE-2016-7076) Resolves: rhbz#1391938 - RHEL-6.9 erratum - Fix race condition when creating /var/log/sudo-io direcotry Resolves: rhbz#1365156 last seen 2020-06-01 modified 2020-06-02 plugin id 100530 published 2017-05-31 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100530 title OracleVM 3.3 / 3.4 : sudo (OVMSA-2017-0110) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2017-1120.NASL description According to the version of the sudo package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - It was found that the original fix for CVE-2017-1000367 was incomplete. A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000368) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2017-07-10 plugin id 101308 published 2017-07-10 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101308 title EulerOS 2.0 SP1 : sudo (EulerOS-SA-2017-1120) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1011.NASL description Todd Miller last seen 2020-03-17 modified 2017-07-05 plugin id 101210 published 2017-07-05 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/101210 title Debian DLA-1011-1 : sudo security update NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2017-1382.NASL description An update for sudo is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es) : * A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000367) Red Hat would like to thank Qualys Security for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 100558 published 2017-06-01 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100558 title CentOS 6 / 7 : sudo (CESA-2017:1382) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1626-1.NASL description This update for sudo fixes the following security issue : - CVE-2017-1000368: A follow-up fix to CVE-2017-1000367, the Linux process name could also contain a newline, which could be used to trick sudo to read/write to an arbitrary open terminal. (bsc#1042146) Also the following non security bug was fixed : - Link the last seen 2020-06-01 modified 2020-06-02 plugin id 100952 published 2017-06-21 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100952 title SUSE SLED12 / SLES12 Security Update : sudo (SUSE-SU-2017:1626-1) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0102_SUDO.NASL description The remote NewStart CGSL host, running version MAIN 4.05, has sudo packages installed that are affected by a vulnerability: - It was found that the original fix for CVE-2017-1000367 was incomplete. A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000368) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 127331 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127331 title NewStart CGSL MAIN 4.05 : sudo Vulnerability (NS-SA-2019-0102) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2017-0021_SUDO.NASL description An update of the sudo package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121703 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121703 title Photon OS 1.0: Sudo PHSA-2017-0021 NASL family Huawei Local Security Checks NASL id EULEROS_SA-2017-1107.NASL description According to the version of the sudo package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000367) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2017-06-09 plugin id 100700 published 2017-06-09 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100700 title EulerOS 2.0 SP2 : sudo (EulerOS-SA-2017-1107) NASL family Junos Local Security Checks NASL id JUNIPER_SPACE_JSA_10826.NASL description According to its self-reported version number, the version of Junos Space running on the remote device is < 17.1R1, and is therefore affected by multiple vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 104100 published 2017-10-23 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104100 title Juniper Junos Space < 17.1R1 Multiple Vulnerabilities (JSA10826) NASL family Virtuozzo Local Security Checks NASL id VIRTUOZZO_VZLSA-2017-1382.NASL description An update for sudo is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root. Security Fix(es) : * A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000367) Red Hat would like to thank Qualys Security for reporting this issue. Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 101478 published 2017-07-13 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101478 title Virtuozzo 6 : sudo / sudo-devel (VZLSA-2017-1382) NASL family Scientific Linux Local Security Checks NASL id SL_20170623_SUDO_ON_SL6_X.NASL description Security Fix(es) : - It was found that the original fix for CVE-2017-1000367 was incomplete. A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000368) last seen 2020-03-18 modified 2017-06-26 plugin id 101041 published 2017-06-26 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101041 title Scientific Linux Security Update : sudo on SL6.x, SL7.x i386/x86_64 (20170623) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0097_SUDO.NASL description The remote NewStart CGSL host, running version MAIN 4.05, has sudo packages installed that are affected by a vulnerability: - A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. (CVE-2017-1000367) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 127322 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127322 title NewStart CGSL MAIN 4.05 : sudo Vulnerability (NS-SA-2019-0097) NASL family Fedora Local Security Checks NASL id FEDORA_2017-FACD994774.NASL description - update to 1.8.20p2 - added sudo package to dnf/yum protected packages ---- - update to 1.8.20p1 - fixes CVE-2017-1000367 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-06-09 plugin id 100705 published 2017-06-09 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100705 title Fedora 24 : sudo (2017-facd994774)
Packetstorm
| data source | https://packetstormsecurity.com/files/download/142783/QSA-20170601-2.txt |
| id | PACKETSTORM:142783 |
| last seen | 2017-06-03 |
| published | 2017-06-02 |
| reporter | qualys.com |
| source | https://packetstormsecurity.com/files/142783/Sudo-get_process_ttyname-Race-Condition.html |
| title | Sudo get_process_ttyname() Race Condition |
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
Seebug
| bulletinFamily | exploit |
| description | ======================================================================== Contents ======================================================================== Analysis Exploitation Example Acknowledgments ======================================================================== Analysis ======================================================================== We discovered a vulnerability in Sudo's get_process_ttyname() for Linux: this function opens "/proc/[pid]/stat" (man proc) and reads the device number of the tty from field 7 (tty_nr). Unfortunately, these fields are space-separated and field 2 (comm, the filename of the command) can contain spaces (CVE-2017-1000367). For example, if we execute Sudo through the symlink "./ 1 ", get_process_ttyname() calls sudo_ttyname_dev() to search for the non-existent tty device number "1" in the built-in search_devs[]. Next, sudo_ttyname_dev() calls the function sudo_ttyname_scan() to search for this non-existent tty device number "1" in a breadth-first traversal of "/dev". Last, we exploit this function during its traversal of the world-writable "/dev/shm": through this vulnerability, a local user can pretend that his tty is any character device on the filesystem, and after two race conditions, he can pretend that his tty is any file on the filesystem. On an SELinux-enabled system, if a user is Sudoer for a command that does not grant him full root privileges, he can overwrite any file on the filesystem (including root-owned files) with his command's output, because relabel_tty() (in src/selinux.c) calls open(O_RDWR|O_NONBLOCK) on his tty and dup2()s it to the command's stdin, stdout, and stderr. This allows any Sudoer user to obtain full root privileges. ======================================================================== Exploitation ======================================================================== To exploit this vulnerability, we: - create a directory "/dev/shm/_tmp" (to work around /proc/sys/fs/protected_symlinks), and a symlink "/dev/shm/_tmp/_tty" to a non-existent pty "/dev/pts/57", whose device number is 34873; - run Sudo through a symlink "/dev/shm/_tmp/ 34873 " that spoofs the device number of this non-existent pty; - set the flag CD_RBAC_ENABLED through the command-line option "-r role" (where "role" can be our current role, for example "unconfined_r"); - monitor our directory "/dev/shm/_tmp" (for an IN_OPEN inotify event) and wait until Sudo opendir()s it (because sudo_ttyname_dev() cannot find our non-existent pty in "/dev/pts/"); - SIGSTOP Sudo, call openpty() until it creates our non-existent pty, and SIGCONT Sudo; - monitor our directory "/dev/shm/_tmp" (for an IN_CLOSE_NOWRITE inotify event) and wait until Sudo closedir()s it; - SIGSTOP Sudo, replace the symlink "/dev/shm/_tmp/_tty" to our now-existent pty with a symlink to the file that we want to overwrite (for example "/etc/passwd"), and SIGCONT Sudo; - control the output of the command executed by Sudo (the output that overwrites "/etc/passwd"): . either through a command-specific method; . or through a general method such as "--\nHELLO\nWORLD\n" (by default, getopt() prints an error message to stderr if it does not recognize an option character). To reliably win the two SIGSTOP races, we preempt the Sudo process: we setpriority() it to the lowest priority, sched_setscheduler() it to SCHED_IDLE, and sched_setaffinity() it to the same CPU as our exploit. ======================================================================== Example ======================================================================== We will publish our Sudoer-to-root exploit (Linux_sudo_CVE-2017-1000367.c) in the near future: [[email protected] ~]$ head -n 8 /etc/passwd ``` root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt ``` ` [[email protected] ~]$ sudo -l ``` [sudo] password for john: ... User john may run the following commands on localhost: (ALL) /usr/bin/sum ``` [[email protected] ~]$ ./Linux_sudo_CVE-2017-1000367 /usr/bin/sum $'--\nHELLO\nWORLD\n' `[sudo] password for john:` [[email protected] ~]$ head -n 8 /etc/passwd ``` /usr/bin/sum: unrecognized option '-- HELLO WORLD ' Try '/usr/bin/sum --help' for more information. ogin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin ``` ======================================================================== Acknowledgments ======================================================================== We thank Todd C. Miller for his great work and quick response, and the members of the distros list for their help with the disclosure of this vulnerability. |
| id | SSV:93165 |
| last seen | 2017-11-19 |
| modified | 2017-05-31 |
| published | 2017-05-31 |
| reporter | Root |
| source | https://www.seebug.org/vuldb/ssvid-93165 |
| title | CVE-2017-1000367 in Sudo's get_process_ttyname() for Linux |
The Hacker News
| id | THN:2E3849E605A5C7990158F1BD04789BB7 |
| last seen | 2018-01-27 |
| modified | 2017-06-01 |
| published | 2017-05-31 |
| reporter | Mohit Kumar |
| source | https://thehackernews.com/2017/05/linux-sudo-root-hack.html |
| title | High-Severity Linux Sudo Flaw Allows Users to Gain Root Privileges |
Related news
References
- https://www.sudo.ws/alerts/linux_tty.html
- https://security.gentoo.org/glsa/201705-15
- https://access.redhat.com/errata/RHSA-2017:1381
- http://www.ubuntu.com/usn/USN-3304-1
- http://www.securitytracker.com/id/1038582
- http://www.securityfocus.com/bid/98745
- http://www.openwall.com/lists/oss-security/2017/05/30/16
- http://www.debian.org/security/2017/dsa-3867
- http://seclists.org/fulldisclosure/2017/Jun/3
- http://packetstormsecurity.com/files/142783/Sudo-get_process_ttyname-Race-Condition.html
- http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00079.html
- http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00078.html
- http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00077.html
- https://www.exploit-db.com/exploits/42183/
- https://access.redhat.com/errata/RHSA-2017:1382
- http://www.openwall.com/lists/oss-security/2022/12/22/5
- http://www.openwall.com/lists/oss-security/2022/12/22/6
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXEXC4NNIG2QOZY6N2YUK246KI3D3UQO/