oss-sec mailing list archives
Re: TTY pushback vulnerabilities / TIOCSTI
From: Casper Dik <casper.dik () oracle com>
Date: Wed, 15 Mar 2023 09:26:24 +0000
On Wed, 15 Mar 2023, Fabian Keil wrote:
In ElectroBSD I removed TIOCSTI support in 2017 [0] and haven't noticed any problems.
I hate tossing out functionality; would you not make it a privileged operation instead?
-- Dave
I think it makes it mostly useless. In Solaris we've changed how TIOCSTI works; when a process reads the packet with the stuffed input, it then checks the credential of the sender. So while the stuffed input is still echoed but ignored: # su nobody -c tiocsti exit echo Payload as `whoami` # But when having root calling tciosti, you get: # su root -c tiocsti exit echo Payload as `whoami` # exit Payload as root (The exit here is not needed) Casper
Current thread:
- Re: TTY pushback vulnerabilities / TIOCSTI, (continued)
- Re: TTY pushback vulnerabilities / TIOCSTI Hanno Böck (Mar 24)
- Re: TTY pushback vulnerabilities / TIOCSTI Lyndon Nerenberg (VE7TFX/VE6BBM) (Mar 18)
- Re: TTY pushback vulnerabilities / TIOCSTI Christos Zoulas (Mar 18)
- Re: TTY pushback vulnerabilities / TIOCSTI Eric Ashley (Mar 18)
- Re: TTY pushback vulnerabilities / TIOCSTI Peter Bex (Mar 14)
- Re: TTY pushback vulnerabilities / TIOCSTI Hanno Böck (Mar 14)
- Re: TTY pushback vulnerabilities / TIOCSTI Peter Bex (Mar 14)
- Re: TTY pushback vulnerabilities / TIOCSTI Hanno Böck (Mar 14)
- Re: TTY pushback vulnerabilities / TIOCSTI Shawn Webb (Mar 14)
- Re: TTY pushback vulnerabilities / TIOCSTI Fabian Keil (Mar 15)
- Re: TTY pushback vulnerabilities / TIOCSTI Dave Horsfall (Mar 15)
- Re: TTY pushback vulnerabilities / TIOCSTI Casper Dik (Mar 15)
- Re: TTY pushback vulnerabilities / TIOCSTI Hanno Böck (Mar 15)
- Re: TTY pushback vulnerabilities / TIOCSTI Jan Engelhardt (Mar 15)
- Re: TTY pushback vulnerabilities / TIOCSTI Ed Maste (Mar 17)
- Re: TTY pushback vulnerabilities / TIOCSTI Fabian Keil (Mar 15)