Search the Community

Security researchers at Qualys Security have discovered a Linux flaw that could be exploited to gain root privileges and overwrite any file on the filesystem on SELinux-enabled systems. The high severity flaw, tracked as CVE-2017-1000367, resides in the Sudo’s get_process_ttyname() for Linux and is related to the way Sudo parses tty information from the process status file in the proc filesystem. The Linux flaw could be exploited by a local user with privileges to execute commands via Sudo and could allow attackers to escalate their privileges to root. The Sudo’s get_process_ttyname() function opens “/proc/[pid]/stat” (man proc) and reads the device number of the tty from field 7 (tty_nr). These fields are space-separated, the field 2 (comm, the filename of the command) can contain spaces. Sudoer users on SELinux-enabled systems could escalate their privileges to overwrite any file on the filesystem with their command’s output, including root-owned files. To exploit the issue, a Sudo user would have to choose a device number that doesn’t exist under “/dev”. If the terminal isn’t present under the /dev/pts directory when the Sudo performs a breadth-first search of /dev, the user could allocate a pseudo-terminal between the two searchers and create a “symbolic link to the newly-created device in a world-writable directory under /dev, such as /dev/shm,” The Linus flaw affects all Sudo versions from 1.8.6p7 through 1.8.20, the Sudo 1.8.20p1 fixes it, the issue was rated with a CVSS3 Base Score of 7.8. Via securityaffairs.co