Re: TTY pushback vulnerabilities / TIOCSTI

[Jakub Wilk <jwilk () jwilk net>]

* Jakub Wilk <jwilk () jwilk net>, 2024-01-08 06:52:
> * Hanno Böck <hanno () hboeck de>, 2023-03-24 19:56:
> > Here's a proposed patch to restrict access to the dangerous 
> > functionality.
>
> This patch has been included in Linux v6.7:
> https://git.kernel.org/linus/8d1b43f6a6df7bcea20982ad376a000d90906b42

Incidentally the patch fixes another minor vulnerability:

TIOCL_SETSEL selects text on the active vt, even when the fd you ran 
ioctl on refers to a different vt. Since switching virtual terminals 
doesn't require extra privileges, if /dev/ttyN is your controlling 
terminal, you can select text from any otherwise inaccessible vt, and 
then paste it into your own program.

Proof of concept (using minittyjack from my earlier posting[0]):

   n=$(fgconsole) m=$((n+1)) && chvt $m && minittyjack && chvt $n && cat

A more elaborate exploit is available here:
https://github.com/jwilk/vcsnoop


[0] https://www.openwall.com/lists/oss-security/2023/03/14/3/1

--
Jakub Wilk