Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.9
CVSSv2

CVE-2017-1000367

Published: 05/06/2017 Updated: 07/11/2023
CVSS v2 Base Score: 6.9 | Impact Score: 10 | Exploitability Score: 3.4
CVSS v3 Base Score: 6.4 | Impact Score: 5.9 | Exploitability Score: 0.5
VMScore: 696
Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C
Subscribe to Sudo Project

Vulnerability Summary

Todd Miller's sudo version 1.8.20 and previous versions is vulnerable to an input validation (embedded spaces) in the get_process_ttyname() function resulting in information disclosure and command execution.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

sudo project sudo

Vendor Advisories

Ubuntu Security Notice: sudo vulnerability
Sudo could be made to overwrite files as the administrator ...
Red Hat: Important: sudo security update
Synopsis Important: sudo security update Type/Severity Security Advisory: Important Topic An update for sudo is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring ...
Red Hat: Important: sudo security update
Synopsis Important: sudo security update Type/Severity Security Advisory: Important Topic An update for sudo is now available for Red Hat Enterprise Linux 5 ExtendedLifecycle SupportRed Hat Product Security has rated this update as having a security impact ofImportant A Common Vulnerability Scoring System ...
Red Hat: Moderate: sudo security update
Synopsis Moderate: sudo security update Type/Severity Security Advisory: Moderate Topic An update for sudo is now available for Red Hat Enterprise Linux 5 Extended Lifecycle Support, Red Hat Enterprise Linux 6, and Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a securit ...
Debian CVElist Bug Report Logs: sudo: CVE-2017-1000368: Arbitrary terminal access due to issue in parsing /proc/[pid]/stat when process name contains newline
Debian Bug report logs - #863897 sudo: CVE-2017-1000368: Arbitrary terminal access due to issue in parsing /proc/[pid]/stat when process name contains newline Package: src:sudo; Maintainer for src:sudo is Bdale Garbee <bdale@gagcom>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Thu, 1 Jun 2017 18:45:0 ...
Debian CVElist Bug Report Logs: sudo: CVE-2017-1000367: Potential overwrite of arbitrary files
Debian Bug report logs - #863731 sudo: CVE-2017-1000367: Potential overwrite of arbitrary files Package: src:sudo; Maintainer for src:sudo is Bdale Garbee <bdale@gagcom>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 30 May 2017 15:30:01 UTC Severity: grave Tags: fixed-upstream, patch, security, u ...
Debian Security Advisories: DSA-3867-1 sudo -- security update
The Qualys Security team discovered that sudo, a program designed to provide limited super user privileges to specific users, does not properly parse "/proc/[pid]/stat" to read the device number of the tty from field 7 (tty_nr) A sudoers user can take advantage of this flaw on an SELinux-enabled system to obtain full root privileges For the stabl ...
Amazon Linux AMI: ALAS-2017-843
A flaw was found in the way sudo parsed tty information from the processstatus file in the proc filesystem A local user with privileges to executecommands via sudo could use this flaw to escalate their privileges to root(CVE-2017-1000367) ...
Amazon Linux 2: ALAS2-2019-1315
When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295 This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root acc ...
Arch Linux Issues:
On Linux systems, sudo parses the /proc/[pid]/stat file to determine the device number of the process's tty (field 7) The fields in the file are space-delimited, but it is possible for the command name (field 2) to include spaces, which sudo does not account for A user with sudo privileges can cause sudo to use a device number of the user's choos ...

Exploits

Exploit DB: Sudo 1.8.20 - 'get_process_ttyname()' Local Privilege Escalation
/* * E-DB Note: wwwopenwallcom/lists/oss-security/2017/05/30/16 * E-DB Note: seclistsorg/oss-sec/2017/q2/470 * * Linux_sudo_CVE-2017-1000367c * Copyright (C) 2017 Qualys, Inc * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * ...
Exploit DB: Sudo get_process_ttyname() Race Condition
Sudo's get_process_ttyname() on Linux suffers from a race condition that allows for root privilege escalation ...
Exploit DB: Sudo get_process_ttyname() For Linux Stack Clash
sudo version 1820 and earlier is vulnerable to an input validation (embedded spaces) in the get_process_ttyname() function resulting in information disclosure and command execution ...

Github Repositories

https://github.com/c0d3z3r0/sudo-CVE-2017-1000367

sudo-CVE-2017-1000367 wwwopenwallcom/lists/oss-security/2017/05/30/16 Compile: gcc -o sudopwn sudopwnc -lutil Disclaimer: I had no clue what I was doing ;-) Requirements System must be selinux-enabled sudo needs to be built with selinux support (sudo -r) User needs to have sudo permissions eg "toor ALL=(ALL) NOPASSWD: /usr/bin/sum"

https://github.com/homjxi0e/CVE-2017-1000367

CVE-2017-1000367 We discovered a vulnerability in Sudo’s get_process_ttyname() for Linux: this function opens “/proc/[pid]/stat” (man proc) and reads the device number of the tty from field 7 (tty_nr) Unfortunately, these fields are space-separated and field 2 (comm, the filename of the command) can contain spaces (CVE-2017-1000367) For example, if we execut

https://github.com/pucerpocok/sudo_exploit

own implementation of the CVE-2017-1000367 sudo privilege escalation vulnerability in python

sudo_exploit own implementation of the CVE-2017-1000367 sudo privilege escalation vulnerability in python

References

CWE-362https://www.sudo.ws/alerts/linux_tty.htmlhttps://security.gentoo.org/glsa/201705-15https://access.redhat.com/errata/RHSA-2017:1381http://www.ubuntu.com/usn/USN-3304-1http://www.securitytracker.com/id/1038582http://www.securityfocus.com/bid/98745http://www.openwall.com/lists/oss-security/2017/05/30/16http://www.debian.org/security/2017/dsa-3867http://seclists.org/fulldisclosure/2017/Jun/3http://packetstormsecurity.com/files/142783/Sudo-get_process_ttyname-Race-Condition.htmlhttp://lists.opensuse.org/opensuse-security-announce/2017-05/msg00079.htmlhttp://lists.opensuse.org/opensuse-security-announce/2017-05/msg00078.htmlhttp://lists.opensuse.org/opensuse-security-announce/2017-05/msg00077.htmlhttps://www.exploit-db.com/exploits/42183/https://access.redhat.com/errata/RHSA-2017:1382http://www.openwall.com/lists/oss-security/2022/12/22/5http://www.openwall.com/lists/oss-security/2022/12/22/6https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXEXC4NNIG2QOZY6N2YUK246KI3D3UQO/https://usn.ubuntu.com/3304-1/https://nvd.nist.govhttps://www.exploit-db.com/exploits/42183/
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-2907hardcodedinjectCVE-2024-20359CVE-2024-2467CVE-2024-4077CVE-2024-22391cameraCVE-2024-20353
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook