Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 2 Jun 2017 12:51:55 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security <oss-security@...ts.openwall.com>
Subject: Re: Arbitrary terminal access via sudo on Linux

On Fri, Jun 2, 2017 at 12:48 PM, Todd C. Miller <Todd.Miller@...rtesan.com>
wrote:

> The fix for CVE-2017-1000367 present in sudo 1.8.20p1 was incomplete
> as it did not address the posibility of a program name that contains
> a newline character.  This was fixed by sudo 1.8.20p2.  At the time,
> this was not believed to be a security issue due to the change in
> /dev traversal that was also part of sudo 1.8.20p1.
>
> However, there is another vector that can be exploited in sudo's
> get_process_ttyname() function under Linux.  The user can choose a
> device number that corresponds to a terminal currently in use by
> another user.  This allows an attacker to run any command allowed
> by sudo with read and write access to an arbitrary terminal device.
> Depending on the command, it may be possible to read sensitive data
> (such as a password) from another user's terminal.
>
> This alternate vector is still exploitable in sudo 1.8.20p1 when a
> symbolic link is made from the sudo binary to a name that contains
> a newline followed by a valid device number.  The full fix is
> included in sudo 1.8.20p2, released May 31, 2017.
>

Ok, I read the diff:

+       Sudo 1.8.20p2
+       [47836f4c9834]
+
+       * src/ttyname.c:
+       A command name may also contain newline characters so read
+       /proc/self/stat until EOF. It is not legal for /proc/self/stat to
+       contain embedded NUL bytes so treat the file as corrupt if we see
+       any. With help from Qualys.
+
+       This is not exploitable due to the /dev traversal changes in sudo
+       1.8.20p1 (thanks Solar!).

which says it is NOT exploitable, but you're saying that it is actually
exploitable? If confirmed yes I'll get you a new CVE for this asap. Thanks.


>
> I have updated https://www.sudo.ws/alerts/linux_tty.html accordingly.
> As before, the bug is specific to Linux systems that have SELinux
> enabled.  Sudo reopens the terminal device after changing its SELinux
> context when a role or type is specified on the command line.
>
> Thanks to Stephane Chazelas, who pointed out that the original patch
> did not address command names that include a newline, and Solar
> Designer, who noticed that the bug could also be used to access
> another user's terminal.
>
>  - todd
>



-- 

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@...hat.com

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.