Date: Fri, 2 Jun 2017 12:51:55 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security <oss-security@...ts.openwall.com> Subject: Re: Arbitrary terminal access via sudo on Linux On Fri, Jun 2, 2017 at 12:48 PM, Todd C. Miller <Todd.Miller@...rtesan.com> wrote: > The fix for CVE-2017-1000367 present in sudo 1.8.20p1 was incomplete > as it did not address the posibility of a program name that contains > a newline character. This was fixed by sudo 1.8.20p2. At the time, > this was not believed to be a security issue due to the change in > /dev traversal that was also part of sudo 1.8.20p1. > > However, there is another vector that can be exploited in sudo's > get_process_ttyname() function under Linux. The user can choose a > device number that corresponds to a terminal currently in use by > another user. This allows an attacker to run any command allowed > by sudo with read and write access to an arbitrary terminal device. > Depending on the command, it may be possible to read sensitive data > (such as a password) from another user's terminal. > > This alternate vector is still exploitable in sudo 1.8.20p1 when a > symbolic link is made from the sudo binary to a name that contains > a newline followed by a valid device number. The full fix is > included in sudo 1.8.20p2, released May 31, 2017. > Ok, I read the diff: + Sudo 1.8.20p2 + [47836f4c9834] + + * src/ttyname.c: + A command name may also contain newline characters so read + /proc/self/stat until EOF. It is not legal for /proc/self/stat to + contain embedded NUL bytes so treat the file as corrupt if we see + any. With help from Qualys. + + This is not exploitable due to the /dev traversal changes in sudo + 1.8.20p1 (thanks Solar!). which says it is NOT exploitable, but you're saying that it is actually exploitable? If confirmed yes I'll get you a new CVE for this asap. Thanks. > > I have updated https://www.sudo.ws/alerts/linux_tty.html accordingly. > As before, the bug is specific to Linux systems that have SELinux > enabled. Sudo reopens the terminal device after changing its SELinux > context when a role or type is specified on the command line. > > Thanks to Stephane Chazelas, who pointed out that the original patch > did not address command names that include a newline, and Solar > Designer, who noticed that the bug could also be used to access > another user's terminal. > > - todd > -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert@...hat.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ