+91 9610101337

Linux Vulnerability Allows Users to Gain Root Privileges | Cyberops

Linux Vulnerability Allows Users to Gain Root Privileges

By Prempal Singh 0 Comment June 1, 2017

A vulnerability affecting the manner by which Sudo parsed tty information could have lead in the user getting root privileges and having the ability to overwrite any file on the filesystem on SELinux-enabled systems.

Tracked as CVE-2017-1000367, the vulnerability was uncovered by Qualys Security in Sudo’s get_process_ttyname() for Linux. The issue resides in how Sudo parses tty information from the process status file in the proc filesystem.

The susceptibility could be exploited by a local user with privileges to execute instructions via Sudo and may cause the user being able to grow their liberties to root. Featuring a CVSS3 Base Score of 7. 8, the concern is considered High intensity.

In their advisory, Qualys Security explains that Sudo’s get_process_ttyname() function opens “/proc/[pid]/stat” (man proc) and reads these devices number of the tty from field 7 (tty_nr). Even though these fields are space-separated, it is possible for field 2 (comm, the filename of the command) to contain spaces, the security researchers explain.

Therefore, Sudoer users on SELinux-enabled systems could escalate their privileges to overwrite any file on the filesystem with their command’s result, including root-owned files.

To successfully exploit the concern, a Sudo user would have to choose a device number that {does not|won’t|will not} exist under “/dev”. Since Sudo performs a breadth-first search of /dev if the terminal isn’t found under the /dev/pts directory, the consumer could allocate a pseudo-terminal between the two searchers and create a “symbolic link to the newly-created device in a world-writable directory under /dev, such as /dev/shm,  an alert on Sudo reads.

The attacker then uses the file as the command’s standard inputs, output, and error when an SELinux role is specified on the sudo command line. If the symbolic link is changed with another file before Sudo opens it, it allows the overwriting of arbitrary files by writing to the standard result or standard error.

“If SELinux is enabled on the program and Sudo was constructed with SELinux support, a user with sudo liberties might be able to overwrite an irrelevant file. This can be escalated to full root access by rewriting a trusted file such as /etc/shadow or even /etc/sudoers, ” the alert on Sudo reveals.

The concern was found to impact all Sudo versions from 1. 8. 6p7 through 1. 8. 20 and was solved in Sudo 1. 8. 20p1.


error: Content is protected by Cyberops !!