On Linux systems, sudo parses the
to determine the device number of the process’s tty (field 7). The
fields in the file are space-delimited, but it is possible for the
command name (field 2) to include white space (including newline),
which sudo does not account for. A user with sudo privileges can
cause sudo to use a device number of the user’s choosing by creating
a symbolic link from the sudo binary to a name that contains white
space followed by a number.
If SELinux is enabled on the system and sudo was built with SELinux support, this can be exploited in one of two ways:
A user with sudo privileges may be able to run a command with the standard input, output and error connected to a terminal device of their choosing.
A user with sudo privileges may be able to overwrite an arbitrary file. This can be escalated to full root access by rewriting a trusted file such as
Sudo 1.7.10 through 1.7.10p9 inclusive and Sudo 1.8.5 through 1.8.20p1 inclusive.
The fix present in sudo 1.8.20p1 was incomplete.
This vulnerability was initially assigned CVE-2017-1000367 in the Common Vulnerabilities and Exposures database. It was later discovered that the fix present in sudo 1.8.20p1 was incomplete as it did not address the problem of a command with a newline in the name. CVE-2017-1000368 was assigned for this additional issue.
Exploiting the bug requires that the user already have sudo privileges. SELinux must also be enabled on the system and sudo must have been built with SELinux support.
There are two ways to exploit the bug:
The user can choose a device number that corresponds to a terminal currently in use by another user. This allows an attacker to run any command allowed by sudo with read and write access to an arbitrary terminal device. Depending on the command, it may be possible to read sensitive data (such as a password) from another user’s terminal.
Alternately, the user can choose a device number that does not currently exist under
/dev. If sudo does not find the terminal under the
/dev/ptsdirectory, it performs a breadth-first search of
/dev. It is possible to allocate a pseudo-terminal after sudo has checked
/dev/ptsbut before sudo performs its breadth-first search of
/dev. The attacker may then create a symbolic link to the newly-created device in a world-writable directory under
/dev, such as
This file will be used as the command’s standard input, output and error when an SELinux role is specified on the sudo command line. If the symbolic link under
/dev/shmis replaced with a link to an another file before it is opened by sudo, it is possible to overwrite an arbitrary file by writing to the standard output or standard error. This can be escalated to full root access by rewriting a trusted file such as
For more details on exploitation, please see the Qualys Security Advisory.
This advisory was originally released on May 30, 2017. A revised version, released on June 2, 2017, describes the possibility of running a command attached to an arbitrary terminal.
The bug is fixed in sudo 1.8.20p2.
Sudo 1.8.20p1 included a fix for overwriting an arbitrary file but it is still possible to write to another user’s terminal.
This bug was discovered and analyzed by Qualys, Inc who also provided helpful advice and feedback on the fix.
Thanks are also due to Stephane Chazelas, who pointed out that the original patch did not address command names that include a newline, and Solar Designer, who noticed that the bug could also be used to hijack another user’s terminal.