The vulnerability, identified as CVE-2017-1000367, was discovered by researchers at Qualys Security in Sudo's "get_process_ttyname()" function for Linux that could allow a user with Sudo privileges to run commands as root or elevate privileges to root.
Sudo, stands for "superuser do!," is a program for Linux and UNIX operating systems that lets standard users run specific commands as a superuser (aka root user), such as adding users or performing system updates.
The flaw actually resides in the way Sudo parsed "tty" information from the process status file in the proc filesystem.
On Linux machines, sudo parses the /proc/[pid]/stat file in order to determine the device number of the process's tty from field 7 (tty_nr), Qualys Security explains in its advisory.
Although the fields in the file are space-delimited, it is possible for field 2 (the command name) to include whitespace (including newline), which sudo doesn't account for.
Therefore, a local user with sudo privileges (Sudoer) on SELinux-enabled systems can cause sudo to use a device number of his choice "by creating a symbolic link from the sudo binary to a name that contains a space, followed by a number," escalating their privileges to overwrite any file on the filesystem, including root-owned files.
"To exploit the bug, the user can choose a device number that does not currently exist under /dev. If sudo does not find the terminal under the /dev/pts directory, it performs a breadth-first search of /dev...The attacker may then create a symbolic link to the newly-created device in a world-writable directory under /dev, such as /dev/shm," an alert on the sudo project website reads.
"This file will be used as the command's standard input, output and error when an SELinux role is specified on the sudo command line. If the symbolic link under /dev/shm is replaced with a link to another file before [sudo opens it], it is possible to overwrite an arbitrary file by writing to the standard output or standard error. This can be escalated to full root access by rewriting a trusted file such as /etc/shadow or even /etc/sudoers."
The vulnerability, which affects Sudo 1.8.6p7 through 1.8.20 and marked as high severity, has already been patched in Sudo 1.8.20p1, and users are recommended to update their systems to the latest release.
Red Hat yesterday pushed out patches for Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, and Red Hat Enterprise Linux Server. Debian has also released fixes for its Wheezy, Jessie and Sid releases and SUSE Linux has rolled out fixes for a number of its products.
Qualys Security said it would publish its Sudoer-to-root exploit once a maximum number of users have had time to patch their systems against the flaw.
