+91 9610101337

Sudo eliminated the vulnerability with SE-Linux systems | Cyberops

Sudo eliminated the vulnerability with SE-Linux systems

By Prempal Singh 0 Comment June 3, 2017

The sudo utility used to organize the execution of commands on behalf of other users, found dangerous vulnerability (CVE-2017-1000367).

The problem allows overwrite any file on the system, for example, / etc / shadow, and appears only if the user has been delegated the execution of certain privileged operations in / etc / sudoers, SELinux is enabled in the system and sudo is compiled with support for SELinux. The vulnerability is fixed in the update sudo 1.8.20p1, as well as in packs distributions RHEL 6/7, Fedora, Ubuntu, Debian, SUSE, and openSUSE.

The vulnerability is exploited by creating a symbolic link to the executable file sudo, with the task to reference the name that contains a space, followed by a number. When parsing the file / proc / [pid] / stat after the launch of such a link sudo program tries to define the tty device number, to which is attached the current process, but since as separators / proc / [pid] / stat used spaces, running through a link with a space in the name violates the order analysis and allows to substitute a fictitious number of the device is not associated with some existing devices in the directory / dev. Using this fictitious sudo number of the device can not find the terminal of the current process in the directory / dev / pts, and then tries to find the device in the directory / dev.

An attacker can choose the time and create a new pseudo when the sudo already checked / dev / pts but not yet started checking in / dev (eg, using notify to monitor the opening of the catalog), and install on it a symbolic link in the directory / dev (Na primer directory / dev / shm is available to all on record), after which the file will be treated as a current terminal sudo. When specifying a role SELinux through option «-r role» in the command line when calling sudo, the device will be used for stdin, stdout and stderr. Replacing the symbolic link to the real pseudo-file, you can rewrite its contents (sudo outputs to stderr all command-line arguments in the case of an error, for example, can be transmitted instead of the option ‘- \ nHELLO \ nWORLD \ n’). For example, rewriting the / etc / shadow or / etc / sudoers available root authority.

error: Content is protected by Cyberops !!