Release Date:
This advisory was originally released on May 30, 2017. A revised
version, released on June 2, 2017, describes the possibility of
running a command attached to an arbitrary terminal.
Summary:
On Linux systems, sudo parses the
/proc/[pid]/stat file
to determine the device number of the process's tty (field 7). The
fields in the file are space-delimited, but it is possible for the
command name (field 2) to include white space (including newline),
which sudo does not account for. A user with sudo privileges can
cause sudo to use a device number of the user's choosing by creating
a symbolic link from the sudo binary to a name that contains white
space followed by a number.
If SELinux is enabled on the system and sudo was built with SELinux
support, this can be exploited in one of two ways:
-
A user with sudo privileges may be able to run a command with the
standard input, output and error connected to a terminal device of
their choosing.
-
A user with sudo privileges may be able to overwrite an arbitrary
file. This can be escalated to full root access by rewriting a
trusted file such as /etc/shadow or even /etc/sudoers.
Sudo versions affected:
Sudo 1.7.10 through 1.7.10p9 inclusive and
Sudo 1.8.5 through 1.8.20p1 inclusive.
The fix present in sudo 1.8.20p1 was incomplete.
CVE ID:
This vulnerability was initially assigned
CVE-CVE-2017-1000367
in the
Common
Vulnerabilities and Exposures database.
It was later
discovered that the fix present in sudo 1.8.20p1 was incomplete as
it did not address the problem of a command with a newline in the
name. CVE-2017-1000368
was assigned for this additional issue.
Details:
Exploiting the bug requires that the user already have sudo privileges.
SELinux must also be enabled on the system and sudo must have been
built with SELinux support.
There are two ways to exploit the bug:
-
The user can choose a device number that corresponds to a terminal
currently in use by another user. This allows an attacker to run
any command allowed by sudo with read and write access to an arbitrary
terminal device. Depending on the command, it may be possible to
read sensitive data (such as a password) from another user's terminal.
-
Alternately, the user can choose a device number that does not
currently exist under /dev. If sudo does not find the
terminal under the /dev/pts directory, it performs a
breadth-first search of /dev. It is possible to allocate
a pseudo-terminal after sudo has checked /dev/pts but
before sudo performs its breadth-first search of /dev.
The attacker may then create a symbolic link to the newly-created
device in a world-writable directory under /dev, such as
/dev/shm.
This file will be used as the command's standard input, output and
error when an SELinux role is specified on the sudo command line.
If the symbolic link under /dev/shm is replaced with a
link to an another file before it is opened by sudo, it is possible
to overwrite an arbitrary file by writing to the standard output
or standard error.
This can be escalated to full root access by rewriting a trusted file such
as /etc/shadow or even /etc/sudoers.
For more details on exploitation, please see the
Qualys Security Advisory.
Fix:
The bug is fixed in sudo 1.8.20p2.
Sudo 1.8.20p1 included a fix for overwriting an arbitrary file
but it is still possible to write to another user's terminal.
Credit:
This bug was discovered and analyzed by Qualys, Inc who also provided
helpful advice and feedback on the fix.
Thanks are also due to Stephane Chazelas, who pointed out that the
original patch did not address command names that include a newline,
and Solar Designer, who noticed that the bug could also be used to
hijack another user's terminal.