Potential file overwrite or tty access on Linux

Release Date:

This advisory was originally released on May 30, 2017. A revised version, released on June 2, 2017, describes the possibility of running a command attached to an arbitrary terminal.

Summary:

On Linux systems, sudo parses the /proc/[pid]/stat file to determine the device number of the process's tty (field 7). The fields in the file are space-delimited, but it is possible for the command name (field 2) to include white space (including newline), which sudo does not account for. A user with sudo privileges can cause sudo to use a device number of the user's choosing by creating a symbolic link from the sudo binary to a name that contains white space followed by a number.

If SELinux is enabled on the system and sudo was built with SELinux support, this can be exploited in one of two ways:

  • A user with sudo privileges may be able to run a command with the standard input, output and error connected to a terminal device of their choosing.

  • A user with sudo privileges may be able to overwrite an arbitrary file. This can be escalated to full root access by rewriting a trusted file such as /etc/shadow or even /etc/sudoers.

Sudo versions affected:

Sudo 1.7.10 through 1.7.10p9 inclusive and Sudo 1.8.5 through 1.8.20p1 inclusive.
The fix present in sudo 1.8.20p1 was incomplete.

CVE ID:

This vulnerability was initially assigned CVE-2017-1000367 in the Common Vulnerabilities and Exposures database.

It was later discovered that the fix present in sudo 1.8.20p1 was incomplete as it did not address the problem of a command with a newline in the name. CVE-2017-1000368 was assigned for this additional issue.

Details:

Exploiting the bug requires that the user already have sudo privileges. SELinux must also be enabled on the system and sudo must have been built with SELinux support.

There are two ways to exploit the bug:

  • The user can choose a device number that corresponds to a terminal currently in use by another user. This allows an attacker to run any command allowed by sudo with read and write access to an arbitrary terminal device. Depending on the command, it may be possible to read sensitive data (such as a password) from another user's terminal.

  • Alternately, the user can choose a device number that does not currently exist under /dev. If sudo does not find the terminal under the /dev/pts directory, it performs a breadth-first search of /dev. It is possible to allocate a pseudo-terminal after sudo has checked /dev/pts but before sudo performs its breadth-first search of /dev. The attacker may then create a symbolic link to the newly-created device in a world-writable directory under /dev, such as /dev/shm.

    This file will be used as the command's standard input, output and error when an SELinux role is specified on the sudo command line. If the symbolic link under /dev/shm is replaced with a link to an another file before it is opened by sudo, it is possible to overwrite an arbitrary file by writing to the standard output or standard error. This can be escalated to full root access by rewriting a trusted file such as /etc/shadow or even /etc/sudoers.

    For more details on exploitation, please see the Qualys Security Advisory.

Fix:

The bug is fixed in sudo 1.8.20p2.

Sudo 1.8.20p1 included a fix for overwriting an arbitrary file but it is still possible to write to another user's terminal.

Credit:

This bug was discovered and analyzed by Qualys, Inc who also provided helpful advice and feedback on the fix.

Thanks are also due to Stephane Chazelas, who pointed out that the original patch did not address command names that include a newline, and Solar Designer, who noticed that the bug could also be used to hijack another user's terminal.