Bug 1312852 (CVE-2016-2779)

Summary: CVE-2016-2779 util-linux: runuser tty hijack via TIOCSTI ioctl
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: cbuissar, jonathan, kdudka, kzak, slawomir
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: util-linux 2.31 Doc Type: Bug Fix
Doc Text:
It was found that runuser was vulnerable to TIOCSTI ioctl attacks, allowing the executed program to push characters to its TTY's input buffer. While being executed as a non-privileged user, a specially crafted program could force its parent TTY to enter commands, interpreted by the shell when runuser exits.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-05 13:59:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1312855, 1551608    
Bug Blocks: 1312867    

Description Adam Mariš 2016-02-29 11:57:29 UTC 
It was found that when executing a program via "runuser -u nonpriv program" the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing privilege escalation. This issue has been fixed in "su" by calling setsid() and in "sudo" by using the "use_pty" flag.

CVE request (contains reproducer):

http://seclists.org/oss-sec/2016/q1/447
Comment 1 Adam Mariš 2016-02-29 11:59:37 UTC 
Created util-linux tracking bugs for this issue:

Affects: fedora-all [bug 1312855]
Comment 6 Cedric Buissart 2018-03-05 13:42:45 UTC 
Upstream util-linux, since v2.31, adds an additional '--pty' option (currently disabled by default) for the runuser and su commands, that enforces a setsid() call, preventing these attacks :

== without the --pty option ==
[root@fedora-devel util-linux]# strace -f -e execve,setsid,ioctl ./runuser  -u cedric /tmp/hijack-tiocsti
execve("./runuser", ["./runuser", "-u", "cedric", "/tmp/hijack-tiocsti"], 0x7ffccc142a50 /* 27 vars */) = 0
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
strace: Process 31076 attached
[pid 31076] execve("/tmp/hijack-tiocsti", ["/tmp/hijack-tiocsti"], 0x7ffd5b1709f0 /* 27 vars */) = 0
[pid 31076] ioctl(0, TIOCSTI, "i"i)      = 0
[pid 31076] ioctl(0, TIOCSTI, "d"d)      = 0
[pid 31076] ioctl(0, TIOCSTI, "\n"
)     = 0
[pid 31076] +++ exited with 0 +++
+++ exited with 0 +++
[root@fedora-devel util-linux]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023



== with the --pty option ==
[root@fedora-devel util-linux]# strace -f -e execve,setsid,ioctl ./runuser --pty -u cedric /tmp/hijack-tiocsti
execve("./runuser", ["./runuser", "--pty", "-u", "cedric", "/tmp/hijack-tiocsti"], 0x7ffdde3810d8 /* 27 vars */) = 0
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(0, TIOCGWINSZ, {ws_row=47, ws_col=173, ws_xpixel=1903, ws_ypixel=1008}) = 0
ioctl(6, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(6, TIOCGPTN, [6])                 = 0
ioctl(6, TIOCSPTLCK, [0])               = 0
ioctl(6, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(6, TIOCGPTN, [6])                 = 0
ioctl(8, SNDCTL_TMR_CONTINUE or TCSETSF, {B38400 -opost -isig -icanon -echo ...}) = 0
ioctl(8, TIOCSWINSZ, {ws_row=1, ws_col=0, ws_xpixel=4, ws_ypixel=0}) = 0
strace: Process 31081 attached
[pid 31081] setsid()                    = 31081
[pid 31081] ioctl(8, TIOCSCTTY, 1)      = 0
[pid 31081] execve("/tmp/hijack-tiocsti", ["/tmp/hijack-tiocsti"], 0x7ffff1dcd3d8 /* 27 vars */) = 0
[pid 31081] ioctl(0, TIOCSTI, "i")      = 0
[pid 31081] ioctl(0, TIOCSTI, "d")      = 0
[pid 31081] ioctl(0, TIOCSTI, "\n")     = 0
[pid 31081] +++ exited with 0 +++
ioctl(0, SNDCTL_TMR_STOP or TCSETSW, {B38400 opost isig icanon echo ...}) = 0
+++ exited with 0 +++
[root@fedora-devel util-linux]#

(in the latter output, we can see the additional setsid() call, and the 'id' command was not successfully passed to the shell)
Comment 8 Cedric Buissart 2018-03-05 13:59:16 UTC 
Statement:

This issue affects the versions of util-linux as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.