Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

High-Severity Linux Sudo Flaw Allows Users to Gain Root Privileges


  • Please log in to reply
7 replies to this topic

#1 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 12,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:05:35 AM

Posted 01 June 2017 - 04:50 PM

 

========================================================================
Analysis
========================================================================

We discovered a vulnerability in Sudo's get_process_ttyname() for Linux:
this function opens "/proc/[pid]/stat" (man proc) and reads the device
number of the tty from field 7 (tty_nr). Unfortunately, these fields are
space-separated and field 2 (comm, the filename of the command) can
contain spaces (CVE-2017-1000367).

For example, if we execute Sudo through the symlink "./ 1 ",
get_process_ttyname() calls sudo_ttyname_dev() to search for the
non-existent tty device number "1" in the built-in search_devs[].

Next, sudo_ttyname_dev() calls the function sudo_ttyname_scan() to
search for this non-existent tty device number "1" in a breadth-first
traversal of "/dev".

Last, we exploit this function during its traversal of the
world-writable "/dev/shm": through this vulnerability, a local user can
pretend that his tty is any character device on the filesystem, and
after two race conditions, he can pretend that his tty is any file on
the filesystem.

On an SELinux-enabled system, if a user is Sudoer for a command that
does not grant him full root privileges, he can overwrite any file on
the filesystem (including root-owned files) with his command's output,
because relabel_tty() (in src/selinux.c) calls open(O_RDWR|O_NONBLOCK)
on his tty and dup2()s it to the command's stdin, stdout, and stderr.
This allows any Sudoer user to obtain full root privileges.

http://www.openwall.com/lists/oss-security/2017/05/30/16

 

 

 

Several Linux distros have issued updates to fix a vulnerability in Sudo, a Linux app behind the "sudo" command, which can allow an unprivileged attacker to gain root privileges.

The issue, tracked as CVE-2017-1000367, came to light two days ago when security researchers from Qualys published an advisory on the matter.

Researchers say that an attacker that is in the position to run bash commands can create malformed sudo commands that will allow him to overwrite any file on the system, even root-owned content. In other words, the attacker gains the root-level privileges.

 

https://www.bleepingcomputer.com/news/security/linux-distros-patch-dangerous-vulnerability-in-sudo-command/


Edited by NickAu, 01 June 2017 - 04:56 PM.

Arch Linux .
 
 Come join the fun, chat to Bleeping computer members and staff in real time on Discord.
 
The BleepingComputer Official Discord Chat Server!


BC AdBot (Login to Remove)

 


#2 pcpunk

pcpunk

  • Members
  • 5,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:35 PM

Posted 01 June 2017 - 06:16 PM

Thank you Nick!


sBCcBvM.png

Created by Mike_Walsh

 

KDE, Ruler of all Distro's

eps2.4_m4ster-s1ave.aes_pcpunk_leavemehere

 


#3 Mike_Walsh

Mike_Walsh

    Bleepin' 'Puppy' nut..!!


  • Members
  • 1,285 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:King's Lynn, UK
  • Local time:08:35 PM

Posted 01 June 2017 - 07:34 PM

Whoops.....  :rolleyes:

 

 

Mike.  :wink:


Distros:- Multiple 'Puppies'..... and Anti-X 16.1

My Puppy BLOG ~~~  My Puppy PACKAGES

Compaq Presario SR1916UK; Athlon64 X2 3800+, 3 GB RAM, WD 500GB Caviar 'Blue', 32GB Kingspec PATA SSD, 3 TB Seagate 'Expansion' external HDD, ATI Radeon Xpress 200 graphics, Dell 15.1" pNp monitor (1024 x 768), TP-Link PCI-e USB 3.0 card, Logitech c920 HD Pro webcam, self-powered 7-port USB 2.0 hub

Dell Inspiron 1100; 2.6 GHz 400FSB P4, 1.5 GB RAM, 64GB KingSpec IDE SSD, Intel 'Extreme' graphics, 1 TB Seagate 'Expansion' external HDD, M$ HD-3000 'Lifecam'.

 

KXhaWqy.gifFQ8nrJ3.gif

 

 


#4 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 803 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:35 PM

Posted 01 June 2017 - 11:53 PM

Glad to see they've issued a patch already.



#5 mremski

mremski

  • Members
  • 493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:03:35 PM

Posted 02 June 2017 - 03:29 AM

But note that the uid must already be in the sudo file allowed to execute a command.  And then non trivial machinations to do what you want.

 

Still should be fixed, but once again, you need to know your system, you need to understand how the attack works, not just the fact "OMG sudo is vulnerable!!!!"   Heck if you execute sudo /bin/bash you can do whatever you want, no?

 

Is this perhaps a good argument for use of su vs sudo?


FreeBSD since 3.3, only time I touch Windows is to fix my wife's computer


#6 The-Toolman

The-Toolman

  • Members
  • 1,205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:35 PM

Posted 02 June 2017 - 03:42 AM

Is this perhaps a good argument for use of su vs sudo?

What is the difference between su and sudo.

 

I have used su in antix 16 and MX 16 where a "Root Terminal" exists.

 

I believe su is used for what I know to be a true root terminal and then I must enter a true root password.


I'm grumpy because I can be not because I'm old.

 

The world is what you make of it, if it doesn't fit, you make alterations.

 

Under certain circumstances, profanity provides a relief denied even to prayer.  (Mark Twain)


#7 mremski

mremski

  • Members
  • 493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:03:35 PM

Posted 02 June 2017 - 06:17 AM

 

Is this perhaps a good argument for use of su vs sudo?

What is the difference between su and sudo.

 

I have used su in antix 16 and MX 16 where a "Root Terminal" exists.

 

I believe su is used for what I know to be a true root terminal and then I must enter a true root password.

 

 

Pendantically, "su" is "set user".  You can use it to set to any username on the system, the default is "set user to root".  As you point out you need to know the password of the username you want to set to;  from that point on, you are running as that user.

 

"sudo" is "do a command as superuser", the single command is run with elevated privileges.  Now if you do "sudo /bin/bash" you wind up in a bash shell at elevated privs, fundamentally the same thing as "su - root"  (the dash tells su to run as if the user had logged in so you'll get different paths and prompts).

 

sudo has a configuration file that allows one to limit what commands a user can run with elevated privs so you can constrain a user but as the OP points out in the article, you can break out of that constraint if you put in the effort.


FreeBSD since 3.3, only time I touch Windows is to fix my wife's computer


#8 SuperSapien64

SuperSapien64

  • Members
  • 873 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:35 PM

Posted 02 June 2017 - 06:08 PM

This is why I always surf the web from a non-admin account and use Firejail.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users