Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 02 Jun 2017 12:48:20 -0600
From: "Todd C. Miller" <Todd.Miller@...rtesan.com>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: Arbitrary terminal access via sudo on Linux

The fix for CVE-2017-1000367 present in sudo 1.8.20p1 was incomplete
as it did not address the posibility of a program name that contains
a newline character.  This was fixed by sudo 1.8.20p2.  At the time,
this was not believed to be a security issue due to the change in
/dev traversal that was also part of sudo 1.8.20p1.

However, there is another vector that can be exploited in sudo's
get_process_ttyname() function under Linux.  The user can choose a
device number that corresponds to a terminal currently in use by
another user.  This allows an attacker to run any command allowed
by sudo with read and write access to an arbitrary terminal device.
Depending on the command, it may be possible to read sensitive data
(such as a password) from another user's terminal.

This alternate vector is still exploitable in sudo 1.8.20p1 when a
symbolic link is made from the sudo binary to a name that contains
a newline followed by a valid device number.  The full fix is
included in sudo 1.8.20p2, released May 31, 2017.

I have updated https://www.sudo.ws/alerts/linux_tty.html accordingly.
As before, the bug is specific to Linux systems that have SELinux
enabled.  Sudo reopens the terminal device after changing its SELinux
context when a role or type is specified on the command line.

Thanks to Stephane Chazelas, who pointed out that the original patch
did not address command names that include a newline, and Solar
Designer, who noticed that the bug could also be used to access
another user's terminal.

 - todd

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ