Bug 916365 (CVE-2013-1776) - CVE-2013-1776 sudo: bypass of tty_tickets constraints
Summary: CVE-2013-1776 sudo: bypass of tty_tickets constraints
Alias: CVE-2013-1776
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 916367 968221
Blocks: 916366 952520
TreeView+ depends on / blocked
Reported: 2013-02-27 22:44 UTC by Vincent Danen
Modified: 2021-02-17 07:59 UTC (History)
4 users (show)

Fixed In Version: sudo 1.8.5, sudo 1.7.10
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-10-01 04:59:23 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:1353 0 normal SHIPPED_LIVE Low: sudo security and bug fix update 2013-10-01 00:31:10 UTC

Description Vincent Danen 2013-02-27 22:44:01 UTC
From the upstream advisory:

When a user successfully authenticates with sudo, a time stamp file is updated to allow that user to continue running sudo without requiring a password for a preset time period (five minutes by default).
This time stamp file can either be common to all of a user's terminals, or it can be specific to the particular terminal the user authenticated themselves on. The terminal-specific time stamp file behavior can be controlled using the "tty_tickets" option in the sudoers file. This option has been enabled by default since sudo 1.7.4. Prior to sudo 1.7.4, the default was to use a single time stamp for all the user's sessions.

A vulnerability exists because the user can control which terminal the standard input, output and error file descriptors (0-2) refer to. A malicious user could use this to run commands via sudo without authenticating, so long as there exists a terminal the user has access to where a sudo command was successfully run by that same user within the password timeout period (usually five minutes).

The vulnerability does not permit a user to run commands other than those allowed by the sudoers policy.

This affects versions 1.3.5 through up to the fixed 1.7.10p6 version, and sudo 1.8.0 through to the fixed 1.8.7p7.

The fix for 1.7.x: http://www.sudo.ws/repos/sudo/rev/0c0283d1fafa

The fix for 1.8.x: http://www.sudo.ws/repos/sudo/rev/049a12a5cc14

External References:


Comment 1 Vincent Danen 2013-02-27 22:47:57 UTC
Created sudo tracking bugs for this issue

Affects: fedora-all [bug 916367]

Comment 3 Fedora Update System 2013-03-16 01:22:29 UTC
sudo-1.8.6p7-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2013-03-19 20:04:45 UTC
sudo-1.8.6p7-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Vincent Danen 2013-04-08 22:43:05 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-1776 to
the following vulnerability:

Name: CVE-2013-1776
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1776
Assigned: 20130219
Reference: http://www.openwall.com/lists/oss-security/2013/02/27/31
Reference: http://www.sudo.ws/repos/sudo/rev/632f8e028191
Reference: http://www.sudo.ws/repos/sudo/rev/6b22be4d09f0
Reference: http://www.sudo.ws/sudo/alerts/tty_tickets.html
Reference: http://www.securityfocus.com/bid/58207

sudo 1.3.5 through 1.7.10 and 1.8.0 through 1.8.5, when the
tty_tickets option is enabled, does not properly validate the
controlling terminal device, which allows local users with sudo
permissions to hijack the authorization of another terminal via
vectors related to connecting to a standard input, output, and error
file descriptors of another terminal.  NOTE: this is one of three
closely-related vulnerabilities that were originally assigned
CVE-2013-1776, but they have been SPLIT because of different affected

See bug #949751 for CVE-2013-2776 and bug #949753 for CVE-2013-2777

Comment 14 Huzaifa S. Sidhpurwala 2013-09-30 03:46:57 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHBA-2013:0363 https://rhn.redhat.com/errata/RHBA-2013-0363.html

Comment 15 errata-xmlrpc 2013-10-01 00:29:34 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1353 https://rhn.redhat.com/errata/RHSA-2013-1353.html

Comment 16 Huzaifa S. Sidhpurwala 2013-10-01 04:56:58 UTC
This issue has been classified as low security impact, because of the following reasons.

1. A user already needs to have sudo access on the target machine.

2. Successful exploitation of this issue, only results in bypass of sudo cache credential timeout, it does not provide any additional privileges to the attacker.

Comment 17 Huzaifa S. Sidhpurwala 2013-10-01 04:59:23 UTC


Comment 18 Tomas Hoger 2013-10-09 21:06:07 UTC
This CVE was assigned to the issue that allowed bypassing tty_tickets restriction by opening another terminal device and connecting it to stdin/stdout/stderr.  To address the bypass, sudo was modified to extract tty information from /proc.  The fix was implemented in sudo versions 1.8.5 and 1.7.10.

However, the fix could still allow fall back to use stdin/stdout/stderr check in certain cases.  Another way to bypass that check was discovered later and what CVE-2013-2777 (bug 949753) was assigned to.

This issue was already fixed in Red Hat Enterprise Linux 6 packages when they were rebased form 1.7.4p5 to 1.8.6p3 in RHBA-2013:0363 in Red Hat Enterprise Linux 6.4.

Note You need to log in before you can comment on or make changes to this bug.