Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 620182 (CVE-2017-1000367) - <app-admin/sudo-1.8.20_p2: get_process_ttyname() allows local users to gain root privileges (CVE-2017-1000367)
Summary: <app-admin/sudo-1.8.20_p2: get_process_ttyname() allows local users to gain r...
Status: RESOLVED FIXED
Alias: CVE-2017-1000367
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A1 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-30 07:21 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2017-10-07 14:14 UTC (History)
5 users (show)

See Also:
Package list:
app-admin/sudo-1.8.20_p2
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-05-30 07:21:43 UTC
This is a placeholder bug
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-05-30 15:09:37 UTC
Qualys Security Advisory

CVE-2017-1000367 in Sudo's get_process_ttyname() for Linux


========================================================================
Contents
========================================================================

Analysis
Exploitation
Example
Acknowledgments


========================================================================
Analysis
========================================================================

We discovered a vulnerability in Sudo's get_process_ttyname() for Linux:
this function opens "/proc/[pid]/stat" (man proc) and reads the device
number of the tty from field 7 (tty_nr). Unfortunately, these fields are
space-separated and field 2 (comm, the filename of the command) can
contain spaces (CVE-2017-1000367).

For example, if we execute Sudo through the symlink "./     1 ",
get_process_ttyname() calls sudo_ttyname_dev() to search for the
non-existent tty device number "1" in the built-in search_devs[].

Next, sudo_ttyname_dev() calls the function sudo_ttyname_scan() to
search for this non-existent tty device number "1" in a breadth-first
traversal of "/dev".

Last, we exploit this function during its traversal of the
world-writable "/dev/shm": through this vulnerability, a local user can
pretend that his tty is any character device on the filesystem, and
after two race conditions, he can pretend that his tty is any file on
the filesystem.

On an SELinux-enabled system, if a user is Sudoer for a command that
does not grant him full root privileges, he can overwrite any file on
the filesystem (including root-owned files) with his command's output,
because relabel_tty() (in src/selinux.c) calls open(O_RDWR|O_NONBLOCK)
on his tty and dup2()s it to the command's stdin, stdout, and stderr.
This allows any Sudoer user to obtain full root privileges.


========================================================================
Exploitation
========================================================================

To exploit this vulnerability, we:

- create a directory "/dev/shm/_tmp" (to work around
  /proc/sys/fs/protected_symlinks), and a symlink "/dev/shm/_tmp/_tty"
  to a non-existent pty "/dev/pts/57", whose device number is 34873;

- run Sudo through a symlink "/dev/shm/_tmp/     34873 " that spoofs the
  device number of this non-existent pty;

- set the flag CD_RBAC_ENABLED through the command-line option "-r role"
  (where "role" can be our current role, for example "unconfined_r");

- monitor our directory "/dev/shm/_tmp" (for an IN_OPEN inotify event)
  and wait until Sudo opendir()s it (because sudo_ttyname_dev() cannot
  find our non-existent pty in "/dev/pts/");

- SIGSTOP Sudo, call openpty() until it creates our non-existent pty,
  and SIGCONT Sudo;

- monitor our directory "/dev/shm/_tmp" (for an IN_CLOSE_NOWRITE inotify
  event) and wait until Sudo closedir()s it;

- SIGSTOP Sudo, replace the symlink "/dev/shm/_tmp/_tty" to our
  now-existent pty with a symlink to the file that we want to overwrite
  (for example "/etc/passwd"), and SIGCONT Sudo;

- control the output of the command executed by Sudo (the output that
  overwrites "/etc/passwd"):

  . either through a command-specific method;

  . or through a general method such as "--\nHELLO\nWORLD\n" (by
    default, getopt() prints an error message to stderr if it does not
    recognize an option character).

To reliably win the two SIGSTOP races, we preempt the Sudo process: we
setpriority() it to the lowest priority, sched_setscheduler() it to
SCHED_IDLE, and sched_setaffinity() it to the same CPU as our exploit.


========================================================================
Example
========================================================================

We will publish our Sudoer-to-root exploit
(Linux_sudo_CVE-2017-1000367.c) in the near future:

[john@localhost ~]$ head -n 8 /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt

[john@localhost ~]$ sudo -l
[sudo] password for john:
...
User john may run the following commands on localhost:
    (ALL) /usr/bin/sum

[john@localhost ~]$ ./Linux_sudo_CVE-2017-1000367 /usr/bin/sum $'--\nHELLO\nWORLD\n'
[sudo] password for john:

[john@localhost ~]$ head -n 8 /etc/passwd
/usr/bin/sum: unrecognized option '--
HELLO
WORLD
'
Try '/usr/bin/sum --help' for more information.
ogin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin


========================================================================
Acknowledgments
========================================================================

We thank Todd C. Miller for his great work and quick response, and the
members of the distros list for their help with the disclosure of this
vulnerability.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2017-05-30 15:28:08 UTC
This issue was resolved and addressed in
 GLSA 201705-15 at https://security.gentoo.org/glsa/201705-15
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 3 Sergey 'L29Ah' Alirzaev 2017-05-31 01:19:27 UTC
CVE URL is broken at https://security.gentoo.org/glsa/201705-15 bottom.
Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-05-31 08:06:03 UTC
(In reply to Sergey 'L29Ah' Alirzaev from comment #3)
> CVE URL is broken at https://security.gentoo.org/glsa/201705-15 bottom.

Just takes some time for the upstream CVE DB to update, given this was reserved

In the mean time you have the QSA at http://www.openwall.com/lists/oss-security/2017/05/30/16
Comment 5 Renato Foot 2017-08-31 13:46:19 UTC
Hello, 

I don't know if here is the right place for this!

But I saw that this GLSA is wrong, because version 1.8.20p1 is also affected by this problem too!

You can see it here:
https://www.sudo.ws/alerts/linux_tty.html

Sudo versions affected:
Sudo 1.7.10 through 1.7.10p9 inclusive and Sudo 1.8.5 through 1.8.20p1 inclusive.
The fix present in sudo 1.8.20p1 was incomplete. 

"Unaffected versions 	>= 1.8.20_p1"

Tks
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2017-10-07 14:14:04 UTC
Updating to refelect comment #5.