A vulnerability affecting the manner in which Sudo parsed tty information could have resulted in the user gaining root privileges and being able to overwrite any file on the filesystem on SELinux-enabled systems.
Tracked as CVE-2017-1000367, the vulnerability was discovered by Qualys Security in Sudo’s get_process_ttyname() for Linux. The issue resides in how Sudo parses tty information from the process status file in the proc filesystem.
The vulnerability could be exploited by a local user with privileges to execute commands via Sudo and could result in the user being able to escalate their privileges to root. Featuring a CVSS3 Base Score of 7.8, the issue is considered High severity.
In their advisory, Qualys Security explains that Sudo’s get_process_ttyname() function opens “/proc/[pid]/stat” (man proc) and reads the device number of the tty from field 7 (tty_nr). Although these fields are space-separated, it is possible for field 2 (comm, the filename of the command) to contain spaces, the security researchers explain.
Thus, Sudoer users on SELinux-enabled systems could escalate their privileges to overwrite any file on the filesystem with their command’s output, including root-owned files.
To successfully exploit the issue, a Sudo user would have to choose a device number that doesn’t exist under “/dev”. Because Sudo performs a breadth-first search of /dev if the terminal isn’t found under the /dev/pts directory, the user could allocate a pseudo-terminal between the two searchers and create a “symbolic link to the newly-created device in a world-writable directory under /dev, such as /dev/shm,” an alert on Sudo reads.
The attacker then uses the file as the command’s standard input, output and error when a SELinux role is specified on the sudo command line. If the symbolic link is replaced with another file before Sudo opens it, it allows the overwriting of arbitrary files by writing to the standard output or standard error.
“If SELinux is enabled on the system and Sudo was built with SELinux support, a user with sudo privileges may be able to overwrite an arbitrary file. This can be escalated to full root access by rewriting a trusted file such as /etc/shadow or even /etc/sudoers,” the alert on Sudo reveals.
The issue was found to affect all Sudo versions from 1.8.6p7 through 1.8.20 and was resolved in Sudo 1.8.20p1.
More from Ionut Arghire
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Atlassian Warns of Critical Jira Service Management Vulnerability
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
- HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
- Malicious NPM, PyPI Packages Stealing User Information
Latest News
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- China Says It’s Looking Into Report of Spy Balloon Over US
- GoAnywhere MFT Users Warned of Zero-Day Exploit
