CVE-2017-1000367, Severe Root Vulnerability in Linux Sudo
CYBER NEWS

CVE-2017-1000367, Severe Root Vulnerability in Linux Sudo

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

CVE-2017-1000367 is a severe root Linux vulnerability discovered by Qualys Security researchers. The flaw resides in Sudo’s “get_process_ttyname()” function for Linux and could allow a user with Sudo privileges to run commands as root or elevate privileges to root.

Sudo, or “superuser do!,” is a program for Linux and UNIX that lets standard users run specific commands as a superuser or root user.

Related Story: Linux Security Basics: What System Administrators Need to Know

CVE-2017-1000367: Details

The function opens this function opens “/proc/[pid]/stat” (man proc) and reads the device number of the tty from field 7 (tty_nr), the researchers explain. The bad thing is that these fields are space-separated and field 2 (comm, the filename of the command) can contain spaces which is in fact the issue.

More specifically:

For example, if we execute Sudo through the symlink “./ 1 “, get_process_ttyname() calls sudo_ttyname_dev() to search for the non-existent tty device number “1” in the built-in search_devs[]. Next, sudo_ttyname_dev() calls the function sudo_ttyname_scan() to search for this non-existent tty device number “1” in a breadth-first traversal of “/dev”.

The vulnerability stems from the way Sudo parses “tty” information from the process status file in the proc filesystem. On Linux machines, sudo parses the /proc/[pid]/stat file to outline the device number of the process’s tty from field 7 (tty_nr), as explained in the security advisory.


Exploiting CVE-2017-1000367

For the flaw to be exploited, the user must already have sudo privileges.
SELinux must also be enabled on the system and sudo must have been built with SELinux support, researchers add.

To exploit the bug, the user can choose a device number that does not currently exist under /dev. If sudo does not find the terminal under the /dev/pts directory, it performs a breadth-first search of /dev. It is possible to allocate a pseudo-terminal after sudo has checked /dev/pts but before sudo performs its breadth-first search of /dev. The attacker may then create a symbolic link to the newly-created device in a world-writable directory under /dev, such as /dev/shm.

Related Story: CVE-2016-5195 Found in Every Linux Version (for the Last 9 Years)

This file will be employed as the command’s standard input, output and error whenever an SELinux role is specified on the sudo command line. If the symbolic link under /dev/shm is replaced with a link to another file before it is opened by sudo, it is possible to overwrite an arbitrary file by writing to the standard output or standard error. This could be escalated to full root access by trusted file such as /etc/shadow or even /etc/sudoers.


How to Fix CVE-2017-1000367

Fortunately, the issue is addressed and patched in sudo 1.8.20p1.

Also, the fix for parsing /proc/[pid]/stat a newline is contained, is included in sudo 1.8.20p2. Due to changes in sudo 1.8.20p1 to how /dev is traversed, it is not possible to exploit a /proc/[pid]/stat file that contains a newline, researchers conclude.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...