SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Sudo Vendors:   sudo.ws
Sudo get_process_ttyname() Command Validation Flaw Lets Local Users Obtain Root Privileges
SecurityTracker Alert ID:  1038582
SecurityTracker URL:  http://securitytracker.com/id/1038582
CVE Reference:   CVE-2017-1000367, CVE-2017-1000368   (Links to External Site)
Updated:  Jun 5 2017
Original Entry Date:  May 30 2017
Impact:   Modification of system information, Modification of user information, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.8.6p7 through 1.8.20
Description:   A vulnerability was reported in Sudo. A local user can obtain root privileges on the target system.

A local user can issue a specially crafted sudo command to trigger a command validation flaw in the get_process_ttyname() process and cause the system to recognize the user's tty as an arbitrary file on the target system. A local user can exploit this to overwrite arbitrary files on the target system.

Systems with SELinux enabled and with sudo built with SELinux support are affected.

Qualys, Inc. reported this vulnerability.

Impact:   A local user can overwrite arbitrary files with root privileges on the target system.
Solution:   The vendor has issued a fix (1.8.20p2).

[Editor's note: Stephane Chazelas reported that the original fix (1.8.20p1) did not correct for address command names that include a newline [CVE-2017-1000368] and the original fix can be exploited to access another user's tty but cannot be exploited for file overwrite.]

The vendor advisory is available at:

https://www.sudo.ws/alerts/linux_tty.html

Vendor URL:  www.sudo.ws/alerts/linux_tty.html (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
May 30 2017 (Red Hat Issues Fix) Sudo get_process_ttyname() Command Validation Flaw Lets Local Users Obtain Root Privileges
Red Hat has issued a fix for Red Hat Enterprise Linux 5.
May 30 2017 (Ubuntu Issues Fix) Sudo get_process_ttyname() Command Validation Flaw Lets Local Users Obtain Root Privileges
Ubuntu has issued a fix for Ubuntu Linux 14.04 LTS, 16.04 LTS, 16.10, and 17.04.
May 31 2017 (Red Hat Issues Fix) Sudo get_process_ttyname() Command Validation Flaw Lets Local Users Obtain Root Privileges
Red Hat has issued a fix for Red Hat Enterprise Linux 6 and 7.
May 31 2017 (Oracle Issues Fix for Oracle Linux) Sudo get_process_ttyname() Command Validation Flaw Lets Local Users Obtain Root Privileges
Oracle has issued a fix for Oracle Linux 6 and 7.
May 31 2017 (Red Hat Issues Fix) Sudo get_process_ttyname() Command Validation Flaw Lets Local Users Obtain Root Privileges
Red Hat has issued a fix for Red Hat Enterprise Linux 5 Extended Lifecycle Support.
May 31 2017 (CentOS Issues Fix) Sudo get_process_ttyname() Command Validation Flaw Lets Local Users Obtain Root Privileges
CentOS has issued a fix for CentOS 6 and 7.
Jun 2 2017 (Oracle Issues Fix for Oracle Linux) Sudo get_process_ttyname() Command Validation Flaw Lets Local Users Obtain Root Privileges
Oracle has issued a fix for Oracle Linux 5.
Jun 22 2017 (Red Hat Issues Fix) Sudo get_process_ttyname() Command Validation Flaw Lets Local Users Obtain Root Privileges
Red Hat has issued a fix for Red Hat Enterprise Linux 5, 6, and 7.
Jun 23 2017 (CentOS Issues Fix) Sudo get_process_ttyname() Command Validation Flaw Lets Local Users Obtain Root Privileges
CentOS has issued a fix for CentOS 6 and 7.
Jun 23 2017 (Oracle Issues Fix for Oracle Linux) Sudo get_process_ttyname() Command Validation Flaw Lets Local Users Obtain Root Privileges
Oracle has issued a fix for Oracle Linux 6.
Jun 23 2017 (Oracle Issues Fix for Oracle Linux) Sudo get_process_ttyname() Command Validation Flaw Lets Local Users Obtain Root Privileges
Oracle has issued a fix for Oracle Linux 7.



 Source Message Contents

Date:  Tue, 30 May 2017 08:16:29 -0700
Subject:  [oss-security] Qualys Security Advisory - CVE-2017-1000367 in Sudo's get_process_ttyname() for Linux


Qualys Security Advisory

CVE-2017-1000367 in Sudo's get_process_ttyname() for Linux


========================================================================
Contents
========================================================================

Analysis
Exploitation
Example
Acknowledgments


========================================================================
Analysis
========================================================================

We discovered a vulnerability in Sudo's get_process_ttyname() for Linux:
this function opens "/proc/[pid]/stat" (man proc) and reads the device
number of the tty from field 7 (tty_nr). Unfortunately, these fields are
space-separated and field 2 (comm, the filename of the command) can
contain spaces (CVE-2017-1000367).

For example, if we execute Sudo through the symlink "./     1 ",
get_process_ttyname() calls sudo_ttyname_dev() to search for the
non-existent tty device number "1" in the built-in search_devs[].

Next, sudo_ttyname_dev() calls the function sudo_ttyname_scan() to
search for this non-existent tty device number "1" in a breadth-first
traversal of "/dev".

Last, we exploit this function during its traversal of the
world-writable "/dev/shm": through this vulnerability, a local user can
pretend that his tty is any character device on the filesystem, and
after two race conditions, he can pretend that his tty is any file on
the filesystem.

On an SELinux-enabled system, if a user is Sudoer for a command that
does not grant him full root privileges, he can overwrite any file on
the filesystem (including root-owned files) with his command's output,
because relabel_tty() (in src/selinux.c) calls open(O_RDWR|O_NONBLOCK)
on his tty and dup2()s it to the command's stdin, stdout, and stderr.
This allows any Sudoer user to obtain full root privileges.


========================================================================
Exploitation
========================================================================

To exploit this vulnerability, we:

- create a directory "/dev/shm/_tmp" (to work around
  /proc/sys/fs/protected_symlinks), and a symlink "/dev/shm/_tmp/_tty"
  to a non-existent pty "/dev/pts/57", whose device number is 34873;

- run Sudo through a symlink "/dev/shm/_tmp/     34873 " that spoofs the
  device number of this non-existent pty;

- set the flag CD_RBAC_ENABLED through the command-line option "-r role"
  (where "role" can be our current role, for example "unconfined_r");

- monitor our directory "/dev/shm/_tmp" (for an IN_OPEN inotify event)
  and wait until Sudo opendir()s it (because sudo_ttyname_dev() cannot
  find our non-existent pty in "/dev/pts/");

- SIGSTOP Sudo, call openpty() until it creates our non-existent pty,
  and SIGCONT Sudo;

- monitor our directory "/dev/shm/_tmp" (for an IN_CLOSE_NOWRITE inotify
  event) and wait until Sudo closedir()s it;

- SIGSTOP Sudo, replace the symlink "/dev/shm/_tmp/_tty" to our
  now-existent pty with a symlink to the file that we want to overwrite
  (for example "/etc/passwd"), and SIGCONT Sudo;

- control the output of the command executed by Sudo (the output that
  overwrites "/etc/passwd"):

  . either through a command-specific method;

  . or through a general method such as "--\nHELLO\nWORLD\n" (by
    default, getopt() prints an error message to stderr if it does not
    recognize an option character).

To reliably win the two SIGSTOP races, we preempt the Sudo process: we
setpriority() it to the lowest priority, sched_setscheduler() it to
SCHED_IDLE, and sched_setaffinity() it to the same CPU as our exploit.


========================================================================
Example
========================================================================

We will publish our Sudoer-to-root exploit
(Linux_sudo_CVE-2017-1000367.c) in the near future:

[john@localhost ~]$ head -n 8 /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt

[john@localhost ~]$ sudo -l
[sudo] password for john:
...
User john may run the following commands on localhost:
    (ALL) /usr/bin/sum

[john@localhost ~]$ ./Linux_sudo_CVE-2017-1000367 /usr/bin/sum $'--\nHELLO\nWORLD\n'
[sudo] password for john:

[john@localhost ~]$ head -n 8 /etc/passwd
/usr/bin/sum: unrecognized option '--
HELLO
WORLD
'
Try '/usr/bin/sum --help' for more information.
ogin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin


========================================================================
Acknowledgments
========================================================================

We thank Todd C. Miller for his great work and quick response, and the
members of the distros list for their help with the disclosure of this
vulnerability.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC