Windows has had a rough time lately, dealing with various breaches as the result of vulnerabilities. Linux, often considered a malware-free OS, is now experiencing some cyber attacks of its own. Amidst threats like SambaCry and Luabot, which have already made their presence felt recently, another Linux malware attack is looking far more threatening. This new malware exploits a sudo command flaw, gaining root access to any affected system.

What is sudo?

Sudo stands for either “substitute user do” or “super user do, depending on what type of account is executing the command. On Linux, the root user has the ability to make critical changes to the machine, giving them the name “super user. Administrative applications in Linux can be run either by switching to the super users—using the super user command—or by taking advantage of the sudo command. This is exactly where this new malware comes into play. Qualys Security discovered a vulnerability in the “get_process_ttyname()” sudo command function for Linux, which the malware uses to gain unrestricted access to administrative capabilities.

Sudo flaw and its capabilities

The flaw lies in the way sudo parses tty information from the status file; this flaw was identified as CVE-2017-1000367 by the Qualys Security team. As explained by Qualys Security professionals, the sudo command parses the status file to determine the device number and device type; it does this by locating the tty from field 7 (tty_nr). Generally, the status file‘s fields have space limits, but it is possible for a command name to be included in the whitespace, which isn’t accounted for by sudo. So, a local user with sudo privilege can cause sudo to use a device number of their choosing. The consequence of such is the ability to overwrite any file on the file system, including files owned by the root user.

There are two ways this sudo vulnerability can be exploited:

  1. A user can choose a device number that corresponds to a terminal currently in use by another user. This allows an attacker to run any command on an arbitrary terminal device if they have read and write access from a sudo command. This allows the attacker to do things like read any sensitive data from another user’s terminal.
  2. A user can also choose a device number that does not currently exist under /dev. If it isn’t found there, then sudo will perform a breadth-first search of /dev. If a psuedo terminal is allocated before the search happens, then the attacker can create a symbolic link to the newly-created device in a world-writable directory under /dev (such as /dev/hsz). This file will be used as the command’s standard input, output, and error when an SELinux role is specified on the sudo command line. If the symbolic link under /dev/hsz is replaced with a link to another file before it is opened by sudo, it is possible to overwrite an arbitrary file by writing to the standard output or standard error. This can be escalated to full root access by rewriting a trusted file such as etc/shadow or even etc/sudoers. For more detail, please read Qualys Security‘s advisory.

How Desktop Central can easily eliminate this sudo exploit

This vulnerability affects Sudo 1.8.6p7 through 1.8.20; it’s marked as high severity, and has already been patched in Sudo 1.8.20p1. Red Hat released patches for Red Hat Enterprise Linux 6 and 7, along with Red Hat Enterprise Linux Server on May 30th. Debian has also released updates for its Wheezy, Jessie, and Sid releases, and SUSE Linux has provided updates for their products as well.

The best way to fix this exploit is by updating your Linux system. And the easiest way to update all your Ubuntu and Debian systems is directly from Desktop Central. Desktop Central has been supporting the latest Debian and Ubuntu patches since May 31st, immediately after their respective vendor’s release on May 30th. Threats are emerging day by day for various platforms and applications, so keep your entire network safe from any malware or adware by updating. Update your Windows, Mac, and Linux machinesand more than 250 thirdparty applications— directly from Desktop Central. Download Desktop Central and manage up to 50 endpoints for free.