oss-sec mailing list archives
Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution
From: Ruihan Li <lrh2000 () pku edu cn>
Date: Tue, 18 Apr 2023 20:41:35 +0800
Hi Solar Designer,
Thank you Ruihan Li for finding and handling this vulnerability so well, and for the detailed write-up. When discussing this on linux-distros a week ago, I wrote:
Also thanks to all the people at linux-distro and s@k.o who helped to improve the final disclosure and patches.
OTOH, not all distros are typical. Besides Android, we got rid of all SUID binaries in default install of Owl over a decade ago. While Owl is now effectively EOL'ed, some of its legacy lives on in ALT Linux distros, which are maintained, and other distros can do similar - it's primarily a matter of caring to do it or not. We did not package sudo in Owl, but if someone were to install it then it'd be the only program exposing this kernel vulnerability. So in that case, hardening sudo would have helped.
That's good to know. I was wondering if there were distros that did not have setuid binaries, which was why I said only ``a number of distros'' were vulnerable. For Steffen Nurpmeso wrote earlier:
I wonder -- have you verified that they do not use isatty(3) aka some tc*() series *first*? The above with sudo does for example not reveal anything as shown, roght? FD 2 seems to be a terminal, .. and whereas i do not have sudo src here, i am sure it uses isatty(3) and tcgetattr(3).
I just noticed that sudo added the isatty check a day ago (April 17th) [1]. I think this change was inspired by this vulnerability, wasn't it? However, as Jakub Wilk pointed out, isatty is still implemented by an ioctl call, so the addition of this check has nothing to do with this vulnerability. Nevertheless, it is still a good idea to make sure isatty succeeds before using ioctl calls with other (perhaps more complex and arbitrary) tty commands. [1]: https://github.com/sudo-project/sudo/commit/5650b436e6ba20807758a4154e709c10c1c87be8 Thanks, Ruihan Li
Current thread:
- CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution Ruihan Li (Apr 16)
- Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution Steffen Nurpmeso (Apr 16)
- Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution Jakub Wilk (Apr 16)
- Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution Steffen Nurpmeso (Apr 17)
- Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution Solar Designer (Apr 17)
- Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution Ruihan Li (Apr 18)
- Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution Todd C. Miller (Apr 18)
- Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution Ruihan Li (Apr 18)
- Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution Todd C. Miller (Apr 18)
- Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution Steffen Nurpmeso (Apr 18)
- Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution Jakub Wilk (Apr 16)
- Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution Steffen Nurpmeso (Apr 16)
- Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution nightmare . yeah27 (Apr 19)
- Re: Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution Steffen Nurpmeso (Apr 20)
- Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution 0xef967c36 (Apr 18)
- Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution Ruihan Li (Apr 18)
- Re: CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution 0xef967c36 (Apr 18)