Re: CVE-2016-7545 -- SELinux sandbox escape

[up201407890 () alunos dcc fc up pt]

Quoting "Jakub Wilk" <jwilk () jwilk net>:

> * up201407890 () alunos dcc fc up pt, 2016-09-25, 13:49:
> > When executing a program via the SELinux sandbox, the nonpriv  
> > session can escape to the parent session by using the TIOCSTI ioctl  
> > to push characters into the terminal's input buffer, allowing an  
> > attacker to escape the sandbox.
>
> Apparently every single program that tries to run stuff with reduced  
> privileges falls through this trap.
>
> Are there any use cases for TIOCSTI other than producing exploits?

I had this discussion with Stanislav Brabec, from SUSE, a while ago.

http://marc.info/?l=util-linux-ng&m=145702209921574&w=2

"Just for curiosity, I just ran grep for TIOCSTI ioctl() over all
openSUSE sources. I got about 60 matches.

I analyzed use of some cases:

util-linux: used in agetty in wait_for_term_input()
kbd: contrib utility sti equal to tiocsti utility.
irda: Used by handle_scancode() to emulate input.
tcsh: Used in ed mode and in pushback().
emacs: Used in stuff_char() (putting char to be read from terminal)
...

It seems that TIOCSTI is used for:
- Read character, and if it does not match, put it back.
- Wait for character, than put it back for processing.
- Implementing a simple line editing."

So yes.

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.