OpenSSH: CVE-2015-6565 (pty issue in 6.8-6.9) can lead to local privesc on Linux

[Jann Horn <jann () thejh net>]

OpenSSH 6.8-6.9 chmod()ed the connection's PTY slave to mode 0622
(world-writable). This issue was discovered by Nikolay Edigaryev, fixed in
OpenSSH 7.0 and assigned CVE-2015-6565.

On Linux, the impact of this issue is higher because a local attacker can
carry out the following attack:

After the PTY has been unlocked and the slave has been chmod()ed, but before
the ssh server's child has made the PTY slave its controlling terminal, the
attacker opens the slave device with open(..., O_WRONLY). (This is pretty easy
to do, just open() the device in a loop until it works and hope that you were
the first one.) The Linux kernel will then make the PTY slave the controlling
terminal of the attacker's process. (The slave will therefore not become the
controlling terminal of sshd's child, but that's not a problem for the
attacker.) The victim's shell opens normally, but the attacker can now
perform ioctls on the slave that require having the PTY slave as controlling
terminal, most importantly TIOCSTI (pushback). Using this ioctl, the attacker
can write arbitrary commands into the victim user's terminal - not as output
to the user, but as input into the terminal that is delivered to the user's
shell - and thereby obtain code execution as the targeted user.

This attack was successfully tested against OpenSSH 6.9p1 compiled from source
on a Fedora box.

For a bit more about TIOCSTI, see
<http://www.halfdog.net/Security/2012/TtyPushbackPrivilegeEscalation/>.

The trivial attack makes it obvious to the victim that something's going on,
but it's not hard to make the entered command and the shell's new prompt
invisible.

A kernel patch that tightens the rules for opening a TTY as controlling
terminal is probably going to land soon.

Attachment: signature.asc
Description: Digital signature