CVE-2017-1000367 is a severe root Linux vulnerability discovered by Qualys Security pesquisadores. A falha reside na de Sudo “get_process_ttyname()” função para Linux e poderia permitir que um usuário com privilégios sudo para executar comandos como root ou privilégios elevar ao raiz.
Sudo, ou “superuser do!,” is a program for Linux and UNIX that lets standard users run specific commands as a superuser or root user.
The function opens this function opens “/proc/[pid]/stat” (man proc) and reads the device number of the tty from field 7 (tty_nr), os pesquisadores explicam. The bad thing is that these fields are space-separated and field 2 (comm, the filename of the command) can contain spaces which is in fact the issue.
Por exemplo, if we execute Sudo through the symlink “./ 1 “, get_process_ttyname() calls sudo_ttyname_dev() to search for the non-existent tty device number “1” in the built-in search_devs. Próximo, sudo_ttyname_dev() calls the function sudo_ttyname_scan() to search for this non-existent tty device number “1” in a breadth-first traversal of “/dev”.
The vulnerability stems from the way Sudo parses “tty” information from the process status file in the proc filesystem. On Linux machines, sudo parses the /proc/[pid]/stat file to outline the device number of the process’s tty from field 7 (tty_nr), as explained in the alerta de segurança.
For the flaw to be exploited, the user must already have sudo privileges.
SELinux must also be enabled on the system and sudo must have been built with SELinux support, pesquisadores acrescentam.
To exploit the bug, the user can choose a device number that does not currently exist under /dev. If sudo does not find the terminal under the /dev/pts directory, it performs a breadth-first search of /dev. It is possible to allocate a pseudo-terminal after sudo has checked /dev/pts but before sudo performs its breadth-first search of /dev. The attacker may then create a symbolic link to the newly-created device in a world-writable directory under /dev, such as /dev/shm.
This file will be employed as the command’s standard input, output and error whenever an SELinux role is specified on the sudo command line. If the symbolic link under /dev/shm is replaced with a link to another file before it is opened by sudo, it is possible to overwrite an arbitrary file by writing to the standard output or standard error. This could be escalated to full root access by trusted file such as /etc/shadow or even /etc/sudoers.
How to Fix CVE-2017-1000367
Felizmente, the issue is addressed and patched in sudo 1.8.20p1.
Além disso, the fix for parsing /proc/[pid]/stat a newline is contained, is included in sudo 1.8.20p2. Due to changes in sudo 1.8.20p1 to how /dev is traversed, it is not possible to exploit a /proc/[pid]/stat file that contains a newline, pesquisadores concluem.