Red Hat, Debian and other Linux distributions yesterday pushed out patches for a high-severity vulnerability in sudo that could be abused by a local attacker to gain root privileges.
Sudo is a program for Linux and UNIX systems that allows standard users to run specific commands as a superuser, such as adding users or performing system updates.
In this case, researchers at Qualys found a vulnerability in sudo’s get_process_ttyname function that allows a local attacker with sudo privileges to run commands as root or elevate privileges to root.
An alert on the sudo project website says SELinux must be enabled and sudo built with SELinux support for the vulnerability to be triggered. Sudo 1.8.6p7 through 1.8.20 are affected. Users should update sudo to 1.8.20p1.
“On Linux systems, sudo parses theĀ /proc/[pid]/statĀ file to determine the device number of the process’s tty (field 7). The fields in the file are space-delimited, but it is possible for the command name (field 2) to include white space (including newline), which sudo does not account for,” the sudo advisory said. “A user with sudo privileges can cause sudo to use a device number of the user’s choosing by creating a symbolic link from the sudo binary to a name that contains a space, followed by a number.”
Qualys declined to comment for this article.
“This issue, if exploited, allows the attacker to circumvent the controls and do more than they are supposed to do,” the Red Hat security team told Threatpost. “The attacker has to already be on a server and granted access to commands via sudo for the vulnerability to be used.”
Red Hat said it released fixes yesterday for Red Hat Enterprise Linux 6, Red Hat Enterprise Linux Server and Red Hat Enterprise Linux 7, as did a number of other distributions including Debian for its wheezy, jessie and sid releases, and SUSE Linux for a number of its products.
Qualys said it will publish its exploit once systems have had time to patch.
“On an SELinux-enabled system, if a user is Sudoer for a command that does not grant him full root privileges, he can overwrite any file on the filesystem (including root-owned files) with his command’s output, because relabel_tty() (in src/selinux.c) calls open(O_RDWR|O_NONBLOCK) on his tty and dup2()s it to the command’s stdin, stdout, and stderr,” Qualys researchers wrote in an advisory published on the OSS-Security mailing list. “This allows any Sudoer user to obtain full root privileges.”