selinux exposes a new security vulnerability: the user can obtain root permission by executing sudo command

Posted by millikan at 2020-04-04

*The relevant loopholes involved in this article have been reported to the manufacturer and repaired. This article is only for technical research and discussion, and is strictly prohibited to be used for illegal purposes, otherwise, all consequences will be borne by yourself.

Security experts from qualys security recently discovered a system vulnerability using SELinux mechanism. They found that using this vulnerability can enhance the user's rights and overwrite the files in the file system.

The high-risk vulnerability cve-2017-1000367 (high level) occurs in the get_process_ttyname() function in the sudo command of Linux. An attacker can exploit this vulnerability to allow ordinary users to perform some operations when using the Sudo command to obtain temporary permissions, and promote their permissions to the root level. On the system using SELinux mechanism, sudo users can use the output of the command line to enhance their user rights, and can also overwrite the files in the file system (or even the files owned by root users).

Vulnerability analysis

Researchers found that sudo's get ﹣ process ﹣ ttyname() in Linux system has such a vulnerability:

This function will open the "/ proc / [PID] / STAT" (man proc) directory and read the TTY number of the device from field 7 (tty_nr). But these fields are separated by spaces, and field 2 (the filename of command) can contain spaces (cve-2017-1000367).

Then, when we execute the sudo command from the symbolic link '. / 1', get  process  ttyname() will call sudo  ttyname  dev() to try to find the TTY device No. "1" that does not exist in the built-in search  devs [].

Then sudo ﹐ ttyname ﹐ dev() starts to call sudo ﹐ ttyname ﹐ scan() method, traverses "/ dev" directory, and looks for TTY device "1" which does not exist in breadth first way.

In the final traversal process, we can use the vulnerability to let the current user forge his TTY into any character device on the file system, and then under two competing conditions, the user can fake his TTY into any file on the file system.

In a SELinux system, if the user obtains temporary permission through sudo command, the user root permission is not fully obtained. Since open (O_RDWR|O_NONBLOCK) is invoked in relabel_tty ((src/selinux.c)) in user's TTY and dup2 (), and used in the standard input and output (stdin, stdout, and stderr) of the command line, Sudo users in this case can get the root limit.

Therefore, using this vulnerability, sudo users can overwrite any file in the file system with command-line output.

Linux system problems

This file is used in the standard I / O / error file on the command line. If the symbolic link under "/ dev / SHM" has been replaced with the connection of another file before being opened with sudo command, any file can be overwritten by writing standard output or error. This can be upgraded to full root access mode by rewriting trusted files such as etc / shadow or / etc / sudoers.

This Linux vulnerability affects all versions from 1.8.6p7 to 1.8.20, which is fixed by sudo version 1.8.20p1. At present, the vulnerability is rated as 7.8 points according to cvss3 rating standard.

*Reference source: securityaffairs, compiled by Elaine, please indicate for reprint