Sudo eliminated the vulnerability with SE-Linux systems

By Prempal Singh 0 Comment June 3, 2017  android linux, arch linux, centos, debian, find linux, how to install linux, java linux, kali, kernel linux, linux command, linux command line, linux debian, linux download, linux iso, linux kali, linux mint, linux os, linux server, linux version, mint, ubuntu, ubuntu linux, unix, usb linux, what is linux

The sudo utility used to organize the execution of commands on behalf of other users, found dangerous vulnerability (CVE-2017-1000367).

The problem allows overwrite any file on the system, for example, / etc / shadow, and appears only if the user has been delegated the execution of certain privileged operations in / etc / sudoers, SELinux is enabled in the system and sudo is compiled with support for SELinux. The vulnerability is fixed in the update sudo 1.8.20p1, as well as in packs distributions RHEL 6/7, Fedora, Ubuntu, Debian, SUSE, and openSUSE.

The vulnerability is exploited by creating a symbolic link to the executable file sudo, with the task to reference the name that contains a space, followed by a number. When parsing the file / proc / [pid] / stat after the launch of such a link sudo program tries to define the tty device number, to which is attached the current process, but since as separators / proc / [pid] / stat used spaces, running through a link with a space in the name violates the order analysis and allows to substitute a fictitious number of the device is not associated with some existing devices in the directory / dev. Using this fictitious sudo number of the device can not find the terminal of the current process in the directory / dev / pts, and then tries to find the device in the directory / dev.

An attacker can choose the time and create a new pseudo when the sudo already checked / dev / pts but not yet started checking in / dev (eg, using notify to monitor the opening of the catalog), and install on it a symbolic link in the directory / dev (Na primer directory / dev / shm is available to all on record), after which the file will be treated as a current terminal sudo. When specifying a role SELinux through option «-r role» in the command line when calling sudo, the device will be used for stdin, stdout and stderr. Replacing the symbolic link to the real pseudo-file, you can rewrite its contents (sudo outputs to stderr all command-line arguments in the case of an error, for example, can be transmitted instead of the option ‘- \ nHELLO \ nWORLD \ n’). For example, rewriting the / etc / shadow or / etc / sudoers available root authority.