Security updates have been issued for several Linux distributions to address a flaw in Sudo.
Sudo allows users to run programs with the security privileges of another user, by default the superuser. Users must, by default, supply their own password for authentication, rather than the password of the target user. After authentication, and if the configuration file, which is typically located at /etc/sudoers
, permits the user access, the system invokes the requested command.
Sudo is bundled as a default app in many of today’s Linux distributions. Red Hat, CentOS, SUSE, Debian, and Ubuntu have released urgent security updates to address the issue. The issue doesn’t affect all Linux distributions, but only where SELinux is enabled, and Sudo was built with SELinux support.
The issue, tracked as CVE-2017-1000367, came to light when security researchers from Qualys published an advisory on the matter. The vulnerability allows an attacker to use bash commands to create malicious sudo commands that can overwrite any file on the affected system, even root-owned content. In other words, the attacker gains root-level privileges.
Below is Qualys’ technical explanation for the flaw. Proof-of-concept exploit code is available in the company’s original advisory, which can be found here.
We discovered a vulnerability in Sudo's get_process_ttyname() for Linux: this function opens "/proc/[pid]/stat" (man proc) and reads the device number of the tty from field 7 (tty_nr). Unfortunately, these fields are space-separated and field 2 (comm, the filename of the command) can contain spaces (CVE-2017-1000367). For example, if we execute Sudo through the symlink "./ 1 ", get_process_ttyname() calls sudo_ttyname_dev() to search for the non-existent tty device number "1" in the built-in search_devs[]. Next, sudo_ttyname_dev() calls the function sudo_ttyname_scan() to search for this non-existent tty device number "1" in a breadth-first traversal of "/dev". Last, we exploit this function during its traversal of the world-writable "/dev/shm": through this vulnerability, a local user can pretend that his tty is any character device on the filesystem, and after two race conditions, he can pretend that his tty is any file on the filesystem. On an SELinux-enabled system, if a user is Sudoer for a command that does not grant him full root privileges, he can overwrite any file on the filesystem (including root-owned files) with his command's output, because relabel_tty() (in src/selinux.c) calls open(O_RDWR|O_NONBLOCK) on his tty and dup2()s it to the command's stdin, stdout, and stderr. This allows any Sudoer user to obtain full root privileges.