oss-sec mailing list archives
OpenSSH: CVE-2015-6565 (pty issue in 6.8-6.9) can lead to local privesc on Linux
From: Jann Horn <jann () thejh net>
Date: Thu, 3 Sep 2015 03:19:31 +0200
OpenSSH 6.8-6.9 chmod()ed the connection's PTY slave to mode 0622 (world-writable). This issue was discovered by Nikolay Edigaryev, fixed in OpenSSH 7.0 and assigned CVE-2015-6565. On Linux, the impact of this issue is higher because a local attacker can carry out the following attack: After the PTY has been unlocked and the slave has been chmod()ed, but before the ssh server's child has made the PTY slave its controlling terminal, the attacker opens the slave device with open(..., O_WRONLY). (This is pretty easy to do, just open() the device in a loop until it works and hope that you were the first one.) The Linux kernel will then make the PTY slave the controlling terminal of the attacker's process. (The slave will therefore not become the controlling terminal of sshd's child, but that's not a problem for the attacker.) The victim's shell opens normally, but the attacker can now perform ioctls on the slave that require having the PTY slave as controlling terminal, most importantly TIOCSTI (pushback). Using this ioctl, the attacker can write arbitrary commands into the victim user's terminal - not as output to the user, but as input into the terminal that is delivered to the user's shell - and thereby obtain code execution as the targeted user. This attack was successfully tested against OpenSSH 6.9p1 compiled from source on a Fedora box. For a bit more about TIOCSTI, see <http://www.halfdog.net/Security/2012/TtyPushbackPrivilegeEscalation/>. The trivial attack makes it obvious to the victim that something's going on, but it's not hard to make the entered command and the shell's new prompt invisible. A kernel patch that tightens the rules for opening a TTY as controlling terminal is probably going to land soon.
Attachment:
signature.asc
Description: Digital signature
Current thread:
- OpenSSH: CVE-2015-6565 (pty issue in 6.8-6.9) can lead to local privesc on Linux Jann Horn (Sep 02)