Bugzilla – Bug 1039361
EMU: VUL-0: CVE-2017-1000367: sudo: path traversal race conditions
Last modified: 2017-06-24 02:11:45 UTC
Created attachment 725721 [details] sudo-1.8.20.patch From Qualys: Please find this patch attached to this mail. Todd's first patch came with the comment: ********************************* Fix parsing of /proc/pid/stat on Linux when the process name contains spaces. Also ignore the /dev/shm and /dev/mqueue directories when performing a breadth-first traversal of /dev looking for the device. ********************************* Thank you! With best regards,
The vulnerable /proc/pid/stat parsing was introduced in sudo 1.8.5. (https://www.sudo.ws/repos/sudo/rev/632f8e028191) Only SLE-12 and openSUSE are affected.
Our default installations aren't vulnerable to the arbitrary file write, because our systems don't have selinux enabled. selinux_setup()/relabel_tty() is never called and the fake tty never gets dup()ed to the command's stderr.
But you can enable selinux. (how selinux impacts this ... it tries to relabel the tty when in a SELINUX rolebased mode)
Backported patch was submitted for SLE12 and SLE12SP2: | Codestream | Version | Request | |-----------------------------|----------|--------------| | SUSE:SLE-10-SP3:Update:Test | 1.6.8p12 | not affected | | SUSE:SLE-11:Update | 1.7.6p2 | not affected | | SUSE:SLE-11-SP3:Update | 1.7.6p2 | not affected | | SUSE:SLE-12:Update | 1.8.10p3 | #133021 | | SUSE:SLE-12-SP2:Update | 1.8.10p3 | #133022 | | openSUSE:Leap:42.2:Update | 1.8.10p3 | from SLE12 | | Base:System | 1.8.19p2 | * | * It will be submitted after CRD
Please use CVE-2017-1000367
(In reply to Marcus Meissner from comment #12) > Please use CVE-2017-1000367 Resubmitted with the CVE number in the changelog: SLE12 mr#133051 SLE12SP2 mr#133052
Resubmitted again with fixes for bugs 1024145, 1015351 and 981124: | SLE12:Update | mr#133101 | | SLE12SP2 | mr#133102 |
Created attachment 726731 [details] sudo-improved.patch Attached is an updated diff that does not recurse into subdirectories of /dev. Only directories listed in search_devs[] will be checked. - todd
is now public via oss-security Qualys Security Advisory CVE-2017-1000367 in Sudo's get_process_ttyname() for Linux ======================================================================== Contents ======================================================================== Analysis Exploitation Example Acknowledgments ======================================================================== Analysis ======================================================================== We discovered a vulnerability in Sudo's get_process_ttyname() for Linux: this function opens "/proc/[pid]/stat" (man proc) and reads the device number of the tty from field 7 (tty_nr). Unfortunately, these fields are space-separated and field 2 (comm, the filename of the command) can contain spaces (CVE-2017-1000367). For example, if we execute Sudo through the symlink "./ 1 ", get_process_ttyname() calls sudo_ttyname_dev() to search for the non-existent tty device number "1" in the built-in search_devs[]. Next, sudo_ttyname_dev() calls the function sudo_ttyname_scan() to search for this non-existent tty device number "1" in a breadth-first traversal of "/dev". Last, we exploit this function during its traversal of the world-writable "/dev/shm": through this vulnerability, a local user can pretend that his tty is any character device on the filesystem, and after two race conditions, he can pretend that his tty is any file on the filesystem. On an SELinux-enabled system, if a user is Sudoer for a command that does not grant him full root privileges, he can overwrite any file on the filesystem (including root-owned files) with his command's output, because relabel_tty() (in src/selinux.c) calls open(O_RDWR|O_NONBLOCK) on his tty and dup2()s it to the command's stdin, stdout, and stderr. This allows any Sudoer user to obtain full root privileges. ======================================================================== Exploitation ======================================================================== To exploit this vulnerability, we: - create a directory "/dev/shm/_tmp" (to work around /proc/sys/fs/protected_symlinks), and a symlink "/dev/shm/_tmp/_tty" to a non-existent pty "/dev/pts/57", whose device number is 34873; - run Sudo through a symlink "/dev/shm/_tmp/ 34873 " that spoofs the device number of this non-existent pty; - set the flag CD_RBAC_ENABLED through the command-line option "-r role" (where "role" can be our current role, for example "unconfined_r"); - monitor our directory "/dev/shm/_tmp" (for an IN_OPEN inotify event) and wait until Sudo opendir()s it (because sudo_ttyname_dev() cannot find our non-existent pty in "/dev/pts/"); - SIGSTOP Sudo, call openpty() until it creates our non-existent pty, and SIGCONT Sudo; - monitor our directory "/dev/shm/_tmp" (for an IN_CLOSE_NOWRITE inotify event) and wait until Sudo closedir()s it; - SIGSTOP Sudo, replace the symlink "/dev/shm/_tmp/_tty" to our now-existent pty with a symlink to the file that we want to overwrite (for example "/etc/passwd"), and SIGCONT Sudo; - control the output of the command executed by Sudo (the output that overwrites "/etc/passwd"): . either through a command-specific method; . or through a general method such as "--\nHELLO\nWORLD\n" (by default, getopt() prints an error message to stderr if it does not recognize an option character). To reliably win the two SIGSTOP races, we preempt the Sudo process: we setpriority() it to the lowest priority, sched_setscheduler() it to SCHED_IDLE, and sched_setaffinity() it to the same CPU as our exploit. ======================================================================== Example ======================================================================== We will publish our Sudoer-to-root exploit (Linux_sudo_CVE-2017-1000367.c) in the near future: [john@localhost ~]$ head -n 8 /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt [john@localhost ~]$ sudo -l [sudo] password for john: ... User john may run the following commands on localhost: (ALL) /usr/bin/sum [john@localhost ~]$ ./Linux_sudo_CVE-2017-1000367 /usr/bin/sum $'--\nHELLO\nWORLD\n' [sudo] password for john: [john@localhost ~]$ head -n 8 /etc/passwd /usr/bin/sum: unrecognized option '-- HELLO WORLD ' Try '/usr/bin/sum --help' for more information. ogin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin ======================================================================== Acknowledgments ======================================================================== We thank Todd C. Miller for his great work and quick response, and the members of the distros list for their help with the disclosure of this vulnerability.
SUSE-SU-2017:1446-1: An update that solves one vulnerability and has three fixes is now available. Category: security (important) Bug References: 1015351,1024145,1039361,981124 CVE References: CVE-2017-1000367 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): sudo-1.8.10p3-2.11.1 SUSE Linux Enterprise Server for SAP 12 (src): sudo-1.8.10p3-2.11.1 SUSE Linux Enterprise Server 12-SP1 (src): sudo-1.8.10p3-2.11.1 SUSE Linux Enterprise Server 12-LTSS (src): sudo-1.8.10p3-2.11.1 SUSE Linux Enterprise Desktop 12-SP1 (src): sudo-1.8.10p3-2.11.1
SUSE-SU-2017:1450-1: An update that solves one vulnerability and has three fixes is now available. Category: security (important) Bug References: 1015351,1024145,1039361,981124 CVE References: CVE-2017-1000367 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): sudo-1.8.10p3-10.5.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): sudo-1.8.10p3-10.5.1 SUSE Linux Enterprise Server 12-SP2 (src): sudo-1.8.10p3-10.5.1 SUSE Linux Enterprise Desktop 12-SP2 (src): sudo-1.8.10p3-10.5.1 OpenStack Cloud Magnum Orchestration 7 (src): sudo-1.8.10p3-10.5.1
Released to tumbleweed through the Update Repo.
just released also for 42.2.
openSUSE-SU-2017:1455-1: An update that solves one vulnerability and has three fixes is now available. Category: security (important) Bug References: 1015351,1024145,1039361,981124 CVE References: CVE-2017-1000367 Sources used: openSUSE Leap 42.2 (src): sudo-1.8.10p3-9.3.1