CVE-2017-1000367

MEDIUM EXPLOITED

Todd Miller's sudo <1.8.20 - Info Disclosure & Command Execution

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2017-1000367 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 5 public exploits from researchers including Qualys Corporation, c0d3z3r0, pucerpocok.

AI-analyzed exploit summary This exploit leverages a race condition in sudo (CVE-2017-1000367) to achieve local privilege escalation by manipulating symlinks and inotify events. It creates a controlled environment to trick sudo into executing arbitrary commands with elevated privileges.

Description

Todd Miller's sudo version 1.8.20 and earlier is vulnerable to an input validation (embedded spaces) in the get_process_ttyname() function resulting in information disclosure and command execution.

Exploits (5)

exploitdb WORKING POC
by Qualys Corporation · clocallinux
https://www.exploit-db.com/exploits/42183

This exploit leverages a race condition in sudo (CVE-2017-1000367) to achieve local privilege escalation by manipulating symlinks and inotify events. It creates a controlled environment to trick sudo into executing arbitrary commands with elevated privileges.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: sudo versions before 1.8.20p1
No auth needed
Prerequisites: Local access to the target system · sudo installed and vulnerable · Ability to execute binaries
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 113 stars
by c0d3z3r0 · infoleak
https://github.com/c0d3z3r0/sudo-CVE-2017-1000367

This repository contains a functional exploit for CVE-2017-1000367, a Linux Sudo vulnerability involving a race condition in SELinux role validation. The exploit uses symlink manipulation and process scheduling to bypass restrictions and achieve privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: sudo (with SELinux support)
Auth required
Prerequisites: SELinux enabled · sudo built with SELinux support · user with sudo permissions
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 6 stars
by pucerpocok · infoleak
https://github.com/pucerpocok/sudo_exploit

This repository contains a functional Python exploit for CVE-2017-1000367, a sudo privilege escalation vulnerability. The exploit leverages a race condition in sudo's handling of TTY devices to gain root privileges by manipulating symbolic links and file descriptors.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: sudo versions prior to 1.8.20
Auth required
Prerequisites: Local access to a vulnerable system · User must have sudo privileges
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by homjxi0e · infoleak
https://github.com/homjxi0e/CVE-2017-1000367

The repository contains a functional exploit for CVE-2017-1000367, leveraging a race condition in Sudo's get_process_ttyname() function to achieve local privilege escalation by manipulating symlinks and tty device paths.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Sudo (versions before 1.8.20p1)
Auth required
Prerequisites: Local user access · Sudoer privileges for a command · SELinux-enabled system (for full root privileges)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by letsr00t · local
https://github.com/letsr00t/CVE-2017-1000367

This exploit leverages a race condition in sudo (CVE-2017-1000367) by manipulating symlinks and process timing to achieve local privilege escalation. It uses inotify to monitor file access and swaps symlinks to trick sudo into executing arbitrary commands with elevated privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: sudo versions before 1.8.20p1
No auth needed
Prerequisites: Local access to the target system · Ability to create symlinks in /dev/shm · Sudo configured with SELinux role-based restrictions
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (18)

Core 18
Core References
Third Party Advisory vendor-advisory
http://www.ubuntu.com/usn/USN-3304-1
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/201705-15
Third Party Advisory, VDB Entry vdb-entry
http://www.securityfocus.com/bid/98745
Mailing List, Third Party Advisory mailing-list
http://seclists.org/fulldisclosure/2017/Jun/3
Third Party Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2017:1382
Third Party Advisory vendor-advisory
http://www.debian.org/security/2017/dsa-3867
Third Party Advisory, VDB Entry exploit
https://www.exploit-db.com/exploits/42183/
Exploit, Mailing List, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2017/05/30/16
Third Party Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2017:1381
Exploit, Third Party Advisory, VDB Entry vdb-entry
http://www.securitytracker.com/id/1038582

Scores

CVSS v3 6.4
EPSS 0.0802
EPSS Percentile 94.0%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2023-08-17
CWE
CWE-362
Status published
Products (1)
sudo_project/sudo < 1.8.20
Published Jun 05, 2017
Tracked Since Feb 18, 2026