oss-sec mailing list archives
Re: TTY handling when executing code in different lower-privileged context (su, virt containers)
From: vladz <vladz () devzero fr>
Date: Tue, 6 Nov 2012 11:21:08 +0100
On Mon, Nov 05, 2012 at 07:22:37PM +0000, halfdog wrote:
During programming experiments I found some class of vulnerabilities [1], that seem to be rediscovered again from time to time, but since attack value is questionable, it was not fixed yet.
Nice. I was just wondering why the SIGSTOP signal is used here? Sending a string starting with "exit;" to close the child process also does the trick, no? When [1] was posted on the oss list, I wrote this little PoC [2] to hijacked interactive bash shell opened with "su - <user>".
I would like to propose following "fix" for this problem: Modification of man-page of su making this a known problem or feature, not a bug.
Changing the man page is a good idea. Administrators (good ones) should never have to open users's interactive shells. I mean, beside being a security problem, it's kind of invasion of privacy. ;) [1] http://www.openwall.com/lists/oss-security/2011/12/20/2 [2] http://vladz.devzero.fr/svn/codes/bash/dontsu.sh vladz.
Current thread:
- TTY handling when executing code in different lower-privileged context (su, virt containers) halfdog (Nov 05)
- Re: TTY handling when executing code in different lower-privileged context (su, virt containers) vladz (Nov 06)
- <Possible follow-ups>
- Re: TTY handling when executing code in different lower-privileged context (su, virt containers) David Black (Nov 06)
- Re: Re: TTY handling when executing code in different lower-privileged context (su, virt containers) Marcus Meissner (Nov 06)