关联漏洞
标题:
Sudo 输入验证错误漏洞
(CVE-2017-1000367)
描述:Sudo是软件开发者Todd C. Miller所研发的一套用于类Unix操作系统下并允许用户通过安全的方式使用特殊的权限执行命令的程序。 Sudo 1.8.20及之前的版本中的‘get_process_ttyname()’函数存在输入验证漏洞。攻击者可利用该漏洞获取信息,执行代码。
介绍
# CVE-2017-1000367
We discovered a vulnerability in Sudo’s get_process_ttyname() for Linux:
this function opens “/proc/[pid]/stat” (man proc) and reads the device number of the tty from field 7 (tty_nr). Unfortunately, these fields are space-separated and field 2 (comm, the filename of the command) can
contain spaces (CVE-2017-1000367).
For example, if we execute Sudo through the symlink “./ 1 “, get_process_ttyname() calls sudo_ttyname_dev() to search for the non-existent tty device number “1” in the built-in search_devs[].
Next, sudo_ttyname_dev() calls the function sudo_ttyname_scan() to search for this non-existent tty device number “1” in a breadth-first traversal of “/dev”.
Last, we exploit this function during its traversal of the world-writable “/dev/shm”: through this vulnerability, a local user can pretend that his tty is any character device on the filesystem, and
after two race conditions, he can pretend that his tty is any file on the filesystem.
On an SELinux-enabled system, if a user is Sudoer for a command that does not grant him full root privileges, he can overwrite any file on the filesystem (including root-owned files) with his command’s output,
because relabel_tty() (in src/selinux.c) calls open(O_RDWR|O_NONBLOCK) on his tty and dup2()s it to the command’s stdin, stdout, and stderr. This allows any Sudoer user to obtain full root privileges.
# Red Hat Enterprise Linux 6 (sudo) | :white_check_mark: |
# Red Hat Enterprise Linux 7 (sudo) | :white_check_mark: |
# Red Hat Enterprise Linux Server (v. 5 ELS) (sudo) | :white_check_mark: |
# Oracle Enterprise Linux 6 | :white_check_mark: |
# Oracle Enterprise Linux 7 | :white_check_mark: |
# Oracle Enterprise Linux Server 5 | :white_check_mark: |
# CentOS Linux 6 (sudo) | :white_check_mark: |
# CentOS Linux 7 (sudo) | :white_check_mark: |
# Debian wheezy | :white_check_mark: |
# Debian jessie | :white_check_mark: |
# Debian stretch | :white_check_mark: |
# Debian sid | :white_check_mark: |
# Ubuntu 17.04 | :white_check_mark: |
# Ubuntu 16.10 | :white_check_mark: |
# Ubuntu 16.04 LTS | :white_check_mark: |
# Ubuntu 14.04 LTS | :white_check_mark: |
# SUSE Linux Enterprise Software Development Kit 12-SP2 | :white_check_mark: |
# SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 | :white_check_mark: |
# SUSE Linux Enterprise Server 12-SP2 | :white_check_mark: |
# SUSE Linux Enterprise Desktop 12-SP2 | :white_check_mark: |
# OpenSuse, Slackware, and Gentoo Linux | :white_check_mark: |
## How do I patch sudo on CentOS/RHEL/Scientific/Oracle Linux server? :white_check_mark: |
# Terminal:> sudo yum update
# How do I patch sudo on Fedora Linux server?
# Terminal:> sudo dnf update
# How do I patch sudo on Suse/OpenSUSE Linux server? :white_check_mark: |
# Terminal:> sudo zypper update
# How do I patch sudo on Arch Linux server? :white_check_mark: |
# Terminal:> sudo pacman -Syu
# How do I patch sudo on Alpine Linux server? :white_check_mark: |
# Terminal:> apk update && apk upgrade
# How do I patch sudo on Slackware Linux server? :white_check_mark: |
# upgradepkg sudo-1.8.20p1-i586-1_slack14.2.txz
# How do I patch sudo on Gentoo Linux server? :white_check_mark: |
# Terminal:> emerge --sync
# Terminal:> emerge --ask --oneshot --verbose ">=app-admin/sudo-1.8.20_p1"
文件快照
[4.0K] /data/pocs/cc20c509704e85a8e85ddebf810bbdb4cf68ba00
├── [3.3K] README.md
└── [2.2K] sudopwn.c
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。