A bug has been identified in sudo’s get_process_ttyname(). This significant vulnerability in the sudo command on SELinux enabled systems granting root access to anyone with a shell account. Basically, a local user with privileges to execute commands via sudo could potentially use this flaw to grant themselves root privileges. It has been discovered that Sudo did not correctly parse the contents of /proc/[pid]/stat when attempting to determine its controlling try. In some configurations, you could find a local attacker possibly using this flaw to overwrite any file on the filesystem, bypassing preassigned permissions and maybe even granting themselves root shell. Openwall describes the flaw:
We discovered a vulnerability in Sudo’s get_process_ttyname() for Linux:
this function opens “/proc/[pid]/stat” (man proc) and reads the device number of the tty from field 7 (tty_nr). Unfortunately, these fields are space-separated and field 2 (comm, the filename of the command) can contain spaces (CVE-2017-1000367).
For example, if we execute Sudo through the symlink “./ 1 “, get_process_ttyname() calls sudo_ttyname_dev() to search for the non-existent tty device number “1” in the built-in search_devs.
Next, sudo_ttyname_dev() calls the function sudo_ttyname_scan() to search for this non-existent tty device number “1” in a breadth-first traversal of “/dev”.
Last, we exploit this function during its traversal of the world-writable “/dev/shm”: through this vulnerability, a local user can pretend that his tty is any character device on the filesystem, and
after two race conditions, he can pretend that his tty is any file on the filesystem.
On an SELinux-enabled system, if a user is Sudoer for a command that does not grant him full root privileges, he can overwrite any file on the filesystem (including root-owned files) with his command’s output,
because relabel_tty() (in src/selinux.c) calls open(O_RDWR|O_NONBLOCK) on his tty and dup2()s it to the command’s stdin, stdout, and stderr. This allows any Sudoer user to obtain full root privileges.
If you are running on any one of the following Linux distributions, you are susceptible to this flaw and should patch your system as soon as possible:
- Debian wheezy
- Debian jessie
- Debian stretch
- Debian sid
- Red Hat Enterprise Linux 6 (sudo)
- Red Hat Enterprise Linux 7 (sudo)
- Red Hat Enterprise Linux Server (v. 5 ELS) (sudo)
- SUSE Linux Enterprise Software Development Kit 12-SP2
- SUSE Linux Enterprise Server for Raspberry Pi 12-SP2
- SUSE Linux Enterprise Server 12-SP2
- SUSE Linux Enterprise Desktop 12-SP2
- Ubuntu 17.04
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- CentOS Linux 6 (sudo)
- CentOS Linux 7 (sudo)
- Oracle Enterprise Linux 6
- Oracle Enterprise Linux 7
- Oracle Enterprise Linux Server 5
- OpenSuse, Slackware, and Gentoo Linux
How To Patch Sudo
You are going to begin by opening your terminal with:
Decide which package you nee to patch your system for and run the listed commands one after the other.
Debian/Ubuntu Linux Server.
sudo apt update
sudo apt upgrade
CentOS/RHEL/Scientific/Oracle Linux Server.
sudo yum update
Fedora Linux Server
sudo dnf update
Suse/OpenSUSE Linux Server
sudo zypper update
Arch Linux Server
sudo pacman -Syu
Alpine Linux Server
apk update && apk upgrade
Slackware Linux Server
Gentoo Linux Server
emerge --ask --oneshot --verbose ">=app-admin/sudo-1.8.20_p1"
Should you have any challenges, please share them in the comments section provided below. Thanks for visitng Base64!