Sudo fixes a dangerous vulnerability

02 June 2017, 01:29 | Technologies 
фото с InternetUA

In Sudo, which was designed to delegate privileges to users with tracking of their work, a dangerous vulnerability was discovered, allowing to increase privileges to the level of superuser and overwrite any file on systems with SELinux support.

The problem that received the CVE-2017-1000367 identifier is associated with the get_process_ttyname () function in Sudo for Linux. The vulnerability is how Sudo parses the tty data from the process state file in the proc file system. The problem affects versions of Sudo 1. 6p7 - 1. 20.

As explained by Qualys experts who discovered the vulnerability, the function get_process_ttyname () opens / proc / [pid] / stat (man proc) and reads the tty device number from field 7 (tty_nr). These fields are separated by spaces and field 2 (comm, filename of the command file) can contain spaces.

The problem is exploited by creating a symbolic link to the executable file Sudo with a name that contains a space followed by a number. When parsing the / proc / [pid] / stat file after running such a link, Sudo tries to determine the number of the device tty, but since the / proc / [pid] / stat delimiters use spaces, starting with a space with a space in the name allows you to substitute a dummy number Device not associated with any existing device in the / dev directory. If Sudo does not find the terminal in the / dev / pts directory, it does a search in / dev. Thus, the attacker can create a dummy terminal and, taking advantage of the moment when the / dev / pts check is already completed, and / dev is not yet started, set a symbolic link to it. After that, this file will be perceived by Sudo as the current terminal. Replacing the link from the forged device to a real file, an attacker can overwrite its contents. For example, by rewriting a trusted file (/ etc / shadow or / etc / sudoers), you can elevate the privilege on the system to the superuser level.

Developers have removed the vulnerability in the release of Sudo 1. 20p1. On May 30 patches for distributions RHEL6 / 7, Red Hat Enterprise Linux Server, Debian, SUSE, Ubuntu and Fedora.

Источник: InternetUA
© 2009 - 2025 NewsMe. All rights reserved.
The site administration is not responsible for information what put in, as well as its reliability. Use material NewsMe permitted only for reference (for internet issues - hyperlinks) on NewsMe.com.ua.

Наши проекты: