Sudo '/src/ttyname.c' Local Privilege Escalation Vulnerability

Sudo is prone to a local privilege-escalation vulnerability.

Local attackers could exploit this issue to run arbitrary commands with root privileges.

Sudo versions 1.8.6p7 through 1.8.20 are vulnerable.

Information

Bugtraq ID: 98745
Class: Design Error
CVE: CVE-2017-1000367

Remote: No
Local: Yes
Published: May 30 2017 12:00AM
Updated: May 31 2017 04:46PM
Credit: Qualys Security
Vulnerable: Todd Miller Sudo 1.8.20
Todd Miller Sudo 1.8.19
Todd Miller Sudo 1.8.17
Todd Miller Sudo 1.8.16
Todd Miller Sudo 1.8.11
Todd Miller Sudo 1.8.6p7
Todd Miller Sudo 1.8.19p2
Todd Miller Sudo 1.8.19p1
Todd Miller Sudo 1.8.18p1
Todd Miller Sudo 1.8.15
Todd Miller Sudo 1.8.14
Todd Miller Sudo 1.8.12
Redhat Enterprise Linux 7
Redhat Enterprise Linux 6
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Redhat Enterprise Linux 5
Gentoo Linux
Debian Linux 6.0 sparc
Debian Linux 6.0 s/390
Debian Linux 6.0 powerpc
Debian Linux 6.0 mips
Debian Linux 6.0 ia-64
Debian Linux 6.0 ia-32
Debian Linux 6.0 ia-30
Debian Linux 6.0 arm
Debian Linux 6.0 amd64

Not Vulnerable: Todd Miller Sudo 1.8.20p1

Exploit

The researcher who discovered this issue has created a proof-of-concept. Please see the references for more information.

References:

• Bug 1453074 - (CVE-2017-1000367) CVE-2017-1000367 sudo: Privilege escalation in (Red Hat Bugzilla)
  
• CVE-2017-1000367 (Red Hat Bugzilla)
  
• Qualys Security Advisory - CVE-2017-1000367 in Sudo's get_process_ttyname() for (Qualys Security)
  
• Sudo Homepage (Todd Miller)
  
• Sudo Release (Sudo)
  
• sudo: Privilege escalation via improper get_process_ttyname() parsing (Redhat)
  

Source: www.securityfocus.com