CVE-2005-4890
📋 TL;DR
This vulnerability allows local users to escape restricted shell sessions and execute arbitrary commands with elevated privileges. It affects systems running vulnerable versions of shadow and sudo where users can execute commands via 'su - user -c program'. The attack involves using the TIOCSTI ioctl to inject characters into the terminal input buffer.
💻 Affected Systems
- shadow
- sudo
📦 What is this software?
Shadow by Debian
Sudo by Sudo Project
⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation to root, allowing complete system compromise and persistence.
Likely Case
Local users gaining unauthorized access to other user accounts or elevated privileges.
If Mitigated
Limited impact with proper user separation and minimal privilege assignments.
🎯 Exploit Status
Exploitation requires local access and understanding of terminal ioctl operations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: shadow 4.1.5+, sudo 1.7.4+
Vendor Advisory: http://www.openwall.com/lists/oss-security/2012/11/06/8
Restart Required: No
Instructions:
1. Update shadow package to 4.1.5 or later. 2. Update sudo package to 1.7.4 or later. 3. Use package manager: 'apt-get update && apt-get upgrade shadow sudo' or 'yum update shadow sudo'.
🔧 Temporary Workarounds
Restrict su command usage
linuxLimit which users can execute su commands via PAM or sudoers configuration
# Edit /etc/pam.d/su to restrict access
# Configure /etc/sudoers to limit su usage
Disable TIOCSTI ioctl
linuxUse kernel security modules to restrict TIOCSTI ioctl operations
# Configure SELinux/AppArmor policies
# Use grsecurity/PaX if available
🧯 If You Can't Patch
- Implement strict user privilege separation and least privilege principles
- Monitor and audit all su and sudo command executions
🔍 How to Verify
Check if Vulnerable:
Check installed versions: 'rpm -q shadow sudo' or 'dpkg -l shadow sudo' and compare against vulnerable versions.Check Version:
shadow --version && sudo -VVerify Fix Applied:
Verify updated versions: 'shadow --version' should show 4.1.5+, 'sudo -V' should show 1.7.4+.📡 Detection & Monitoring
Log Indicators:
- Unusual su command patterns
- Multiple failed su attempts followed by successful escalation
- Commands executed from unexpected user contexts
Network Indicators:
- Not applicable - local attack only
SIEM Query:
source="auth.log" AND ("su:" OR "sudo:") AND (user!="root" AND success)🔗 References
- http://www.openwall.com/lists/oss-security/2012/11/06/8
- http://www.openwall.com/lists/oss-security/2013/05/20/3
- http://www.openwall.com/lists/oss-security/2013/11/28/10
- http://www.openwall.com/lists/oss-security/2013/11/29/5
- http://www.openwall.com/lists/oss-security/2014/10/20/9
- http://www.openwall.com/lists/oss-security/2014/10/21/1
- http://www.openwall.com/lists/oss-security/2014/12/15/5
- http://www.openwall.com/lists/oss-security/2016/02/25/6
- https://access.redhat.com/security/cve/cve-2005-4890
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2005-4890
- https://security-tracker.debian.org/tracker/CVE-2005-4890
- http://www.openwall.com/lists/oss-security/2012/11/06/8
- http://www.openwall.com/lists/oss-security/2013/05/20/3
- http://www.openwall.com/lists/oss-security/2013/11/28/10
- http://www.openwall.com/lists/oss-security/2013/11/29/5
- http://www.openwall.com/lists/oss-security/2014/10/20/9
- http://www.openwall.com/lists/oss-security/2014/10/21/1
- http://www.openwall.com/lists/oss-security/2014/12/15/5
- http://www.openwall.com/lists/oss-security/2016/02/25/6
- https://access.redhat.com/security/cve/cve-2005-4890
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2005-4890
- https://security-tracker.debian.org/tracker/CVE-2005-4890
