chmln sd command Privilege Escalation Vulnerability

A local privilege escalation vulnerability has been identified in the 'sd' command, versions through 1.0.0. This issue allows low-privilege users to escalate their privileges to root by executing a crafted command. The vulnerability arises because the 'sd' command improperly handles file ownership when used with 'sudo', enabling the manipulation of file permissions to gain elevated rights.

Impact

Exploitation of this vulnerability allows low-privilege users to gain root privileges.

Reproduction

The vulnerability can be reproduced by a low-privilege user who has permission to run the 'sd' command as a higher-privilege user via 'sudo'. The user can execute the 'sd' command to change the group ownership of a file to that of the higher-privilege user, while retaining the file's original permissions. This can be done by first creating a file and then using 'sudo' to run the 'sd' command, specifying the file as an argument. Once the file's group ownership has been changed, the user can exploit the vulnerability by setting the setuid bit on the file and using the 'sd' command again to escalate privileges.