Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 2 Jun 2017 12:51:55 -0600
From: Kurt Seifried <>
To: oss-security <>
Subject: Re: Arbitrary terminal access via sudo on Linux

On Fri, Jun 2, 2017 at 12:48 PM, Todd C. Miller <>

> The fix for CVE-2017-1000367 present in sudo 1.8.20p1 was incomplete
> as it did not address the posibility of a program name that contains
> a newline character.  This was fixed by sudo 1.8.20p2.  At the time,
> this was not believed to be a security issue due to the change in
> /dev traversal that was also part of sudo 1.8.20p1.
> However, there is another vector that can be exploited in sudo's
> get_process_ttyname() function under Linux.  The user can choose a
> device number that corresponds to a terminal currently in use by
> another user.  This allows an attacker to run any command allowed
> by sudo with read and write access to an arbitrary terminal device.
> Depending on the command, it may be possible to read sensitive data
> (such as a password) from another user's terminal.
> This alternate vector is still exploitable in sudo 1.8.20p1 when a
> symbolic link is made from the sudo binary to a name that contains
> a newline followed by a valid device number.  The full fix is
> included in sudo 1.8.20p2, released May 31, 2017.

Ok, I read the diff:

+       Sudo 1.8.20p2
+       [47836f4c9834]
+       * src/ttyname.c:
+       A command name may also contain newline characters so read
+       /proc/self/stat until EOF. It is not legal for /proc/self/stat to
+       contain embedded NUL bytes so treat the file as corrupt if we see
+       any. With help from Qualys.
+       This is not exploitable due to the /dev traversal changes in sudo
+       1.8.20p1 (thanks Solar!).

which says it is NOT exploitable, but you're saying that it is actually
exploitable? If confirmed yes I'll get you a new CVE for this asap. Thanks.

> I have updated accordingly.
> As before, the bug is specific to Linux systems that have SELinux
> enabled.  Sudo reopens the terminal device after changing its SELinux
> context when a role or type is specified on the command line.
> Thanks to Stephane Chazelas, who pointed out that the original patch
> did not address command names that include a newline, and Solar
> Designer, who noticed that the bug could also be used to access
> another user's terminal.
>  - todd


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact:

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ