CVE-2017-1000367 is a severe root Linux vulnerability discovered by Qualys Security researchers. The flaw resides in Sudo’s “get_process_ttyname()” function for Linux and could allow a user with Sudo privileges to run commands as root or elevate privileges to root.
Sudo, or “superuser do!,” is a program for Linux and UNIX that lets standard users run specific commands as a superuser or root user.
CVE-2017-1000367: Details
The function opens this function opens “/proc/[pid]/stat” (man proc) and reads the device number of the tty from field 7 (tty_nr), the researchers explain. The bad thing is that these fields are space-separated and field 2 (comm, the filename of the command) can contain spaces which is in fact the issue.
More specifically:
For example, if we execute Sudo through the symlink “./ 1 “, get_process_ttyname() calls sudo_ttyname_dev() to search for the non-existent tty device number “1” in the built-in search_devs[]. Next, sudo_ttyname_dev() calls the function sudo_ttyname_scan() to search for this non-existent tty device number “1” in a breadth-first traversal of “/dev”.
The vulnerability stems from the way Sudo parses “tty” information from the process status file in the proc filesystem. On Linux machines, sudo parses the /proc/[pid]/stat file to outline the device number of the process’s tty from field 7 (tty_nr), as explained in the security advisory.
Exploiting CVE-2017-1000367
For the flaw to be exploited, the user must already have sudo privileges.
SELinux must also be enabled on the system and sudo must have been built with SELinux support, researchers add.
To exploit the bug, the user can choose a device number that does not currently exist under /dev. If sudo does not find the terminal under the /dev/pts directory, it performs a breadth-first search of /dev. It is possible to allocate a pseudo-terminal after sudo has checked /dev/pts but before sudo performs its breadth-first search of /dev. The attacker may then create a symbolic link to the newly-created device in a world-writable directory under /dev, such as /dev/shm.
This file will be employed as the command’s standard input, output and error whenever an SELinux role is specified on the sudo command line. If the symbolic link under /dev/shm is replaced with a link to another file before it is opened by sudo, it is possible to overwrite an arbitrary file by writing to the standard output or standard error. This could be escalated to full root access by trusted file such as /etc/shadow or even /etc/sudoers.
How to Fix CVE-2017-1000367
Fortunately, the issue is addressed and patched in sudo 1.8.20p1.
Also, the fix for parsing /proc/[pid]/stat a newline is contained, is included in sudo 1.8.20p2. Due to changes in sudo 1.8.20p1 to how /dev is traversed, it is not possible to exploit a /proc/[pid]/stat file that contains a newline, researchers conclude.