CVE-2017-1000367 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	No
Type	Access restriction bypass
Description	On Linux systems, sudo parses the /proc/[pid]/stat file to determine the device number of the process's tty (field 7). The fields in the file are space-delimited, but it is possible for the command name (field 2) to include spaces, which sudo does not account for. A user with sudo privileges can cause sudo to use a device number of the user's choosing by creating a symbolic link from the sudo binary to a name that contains a space, followed by a number. This may allow a user to be able to bypass the "tty_ticket" constraints. In order for this to succeed there must exist on the machine a terminal device that the user has previously authenticated themselves on via sudo within the last time stamp timeout (5 minutes by default).

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-282	sudo	1.8.20-1	1.8.20.p1-1	Medium	Fixed

Date	Advisory	Group	Package	Severity	Type
30 May 2017	ASA-201705-25	AVG-282	sudo	Medium	access restriction bypass

References
https://www.sudo.ws/alerts/linux_tty.html http://www.openwall.com/lists/oss-security/2017/05/30/16 https://www.sudo.ws/repos/sudo/raw-rev/b5460cbbb11b

Notes
If SELinux is enabled on the system and sudo was built with SELinux support, it is possible for a user with sudo privileges to overwrite an arbitrary file. This can be escalated to full root access by rewriting a trusted file such as /etc/shadow or event /etc/sudoers.

Notes

If SELinux is enabled on the system and sudo was built with SELinux support, it is possible for a user with sudo privileges to overwrite an arbitrary file. This can be escalated to full root access by rewriting a trusted file such as /etc/shadow or event /etc/sudoers.