There is a serious vulnerability in sudo command that grants root access to anyone with a shell account. It works on SELinux enabled systems such as CentOS/RHEL and others too. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. Patch your system as soon as possible.
It was discovered that Sudo did not properly parse the contents of /proc/[pid]/stat when attempting to determine its controlling tty. A local attacker in some configurations could possibly use this to overwrite any file on the filesystem, bypassing intended permissions or gain root shell.
From the description:
We discovered a vulnerability in Sudo’s get_process_ttyname() for Linux:
this function opens “/proc/[pid]/stat” (man proc) and reads the device number of the tty from field 7 (tty_nr). Unfortunately, these fields are space-separated and field 2 (comm, the filename of the command) can
contain spaces (CVE-2017-1000367).For example, if we execute Sudo through the symlink “./ 1 “, get_process_ttyname() calls sudo_ttyname_dev() to search for the non-existent tty device number “1” in the built-in search_devs[].
Next, sudo_ttyname_dev() calls the function sudo_ttyname_scan() to search for this non-existent tty device number “1” in a breadth-first traversal of “/dev”.
Last, we exploit this function during its traversal of the world-writable “/dev/shm”: through this vulnerability, a local user can pretend that his tty is any character device on the filesystem, and
after two race conditions, he can pretend that his tty is any file on the filesystem.On an SELinux-enabled system, if a user is Sudoer for a command that does not grant him full root privileges, he can overwrite any file on the filesystem (including root-owned files) with his command’s output,
because relabel_tty() (in src/selinux.c) calls open(O_RDWR|O_NONBLOCK) on his tty and dup2()s it to the command’s stdin, stdout, and stderr. This allows any Sudoer user to obtain full root privileges.
A list of affected Linux distro
- Red Hat Enterprise Linux 6 (sudo)
- Red Hat Enterprise Linux 7 (sudo)
- Red Hat Enterprise Linux Server (v. 5 ELS) (sudo)
- Oracle Enterprise Linux 6
- Oracle Enterprise Linux 7
- Oracle Enterprise Linux Server 5
- CentOS Linux 6 (sudo)
- CentOS Linux 7 (sudo)
- Debian wheezy
- Debian jessie
- Debian stretch
- Debian sid
- Ubuntu 17.04
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- SUSE Linux Enterprise Software Development Kit 12-SP2
- SUSE Linux Enterprise Server for Raspberry Pi 12-SP2
- SUSE Linux Enterprise Server 12-SP2
- SUSE Linux Enterprise Desktop 12-SP2
- OpenSuse, Slackware, and Gentoo Linux
How do I patch sudo on Debian/Ubuntu Linux server?
To patch Ubuntu/Debian Linux apt-get command or apt command:
$ sudo apt update
$ sudo apt upgrade
Fig.01: Updating my sudo version
How do I patch sudo on CentOS/RHEL/Scientific/Oracle Linux server?
Run yum command:
$ sudo yum update
How do I patch sudo on Fedora Linux server?
Run dnf command:
$ sudo dnf update
How do I patch sudo on Suse/OpenSUSE Linux server?
Run zypper command:
$ sudo zypper update
How do I patch sudo on Arch Linux server?
Run pacman command:
$ sudo pacman -Syu
How do I patch sudo on Alpine Linux server?
Run apk command:
# apk update && apk upgrade
How do I patch sudo on Slackware Linux server?
Run upgradepkg command:
# upgradepkg sudo-1.8.20p1-i586-1_slack14.2.txz
How do I patch sudo on Gentoo Linux server?
Run emerge command:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/sudo-1.8.20_p1"
For more information visit Bug report: Potential overwrite of arbitrary files on Linux.
🐧 11 comments so far... add one ↓
| Category | List of Unix and Linux commands |
|---|---|
| File Management | cat |
| Firewall | Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04 |
| Network Utilities | dig • host • ip • nmap |
| OpenVPN | CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04 |
| Package Manager | apk • apt |
| Processes Management | bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time |
| Searching | grep • whereis • which |
| User Information | groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w |
| WireGuard VPN | Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04 |
This Linux issue is why I’m glad I use FreeBSD.
Glad you use FreeBSD. However, note that each OS has its own problems.
Quote “If man can code it, man can hack it.”
I agree, all Operating Systems have bugs. It is how fast they are found and fixed that makes the difference.
Is putting up the code to exploit it the right thing to do?
yes.
Keith: if they put up the code then it’s highly likely that the solution to this exploit has already been found. In fact, that is exactly what’s happening here.
Really need to yum update, why not yum update sudo?
Applying all patches is a good move ;)
Not exclusively root-privileges. Sudo also can be used to grant someone the rights of another user. Sudo means “substitute user do”.
Thanks for reporting. I turned off adblock for your site. :^)
Dear Vivek,
Great work and thanks for the heads up.