Bug 1312852 (CVE-2016-2779)
Summary: | CVE-2016-2779 util-linux: runuser tty hijack via TIOCSTI ioctl | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | cbuissar, jonathan, kdudka, kzak, slawomir |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | util-linux 2.31 | Doc Type: | Bug Fix |
Doc Text: |
It was found that runuser was vulnerable to TIOCSTI ioctl attacks, allowing the executed program to push characters to its TTY's input buffer. While being executed as a non-privileged user, a specially crafted program could force its parent TTY to enter commands, interpreted by the shell when runuser exits.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2018-03-05 13:59:06 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1312855, 1551608 | ||
Bug Blocks: | 1312867 |
Description
Adam Mariš
2016-02-29 11:57:29 UTC
Created util-linux tracking bugs for this issue: Affects: fedora-all [bug 1312855] Upstream util-linux, since v2.31, adds an additional '--pty' option (currently disabled by default) for the runuser and su commands, that enforces a setsid() call, preventing these attacks : == without the --pty option == [root@fedora-devel util-linux]# strace -f -e execve,setsid,ioctl ./runuser -u cedric /tmp/hijack-tiocsti execve("./runuser", ["./runuser", "-u", "cedric", "/tmp/hijack-tiocsti"], 0x7ffccc142a50 /* 27 vars */) = 0 ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0 ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0 ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0 strace: Process 31076 attached [pid 31076] execve("/tmp/hijack-tiocsti", ["/tmp/hijack-tiocsti"], 0x7ffd5b1709f0 /* 27 vars */) = 0 [pid 31076] ioctl(0, TIOCSTI, "i"i) = 0 [pid 31076] ioctl(0, TIOCSTI, "d"d) = 0 [pid 31076] ioctl(0, TIOCSTI, "\n" ) = 0 [pid 31076] +++ exited with 0 +++ +++ exited with 0 +++ [root@fedora-devel util-linux]# id uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 == with the --pty option == [root@fedora-devel util-linux]# strace -f -e execve,setsid,ioctl ./runuser --pty -u cedric /tmp/hijack-tiocsti execve("./runuser", ["./runuser", "--pty", "-u", "cedric", "/tmp/hijack-tiocsti"], 0x7ffdde3810d8 /* 27 vars */) = 0 ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0 ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0 ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0 ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0 ioctl(0, TIOCGWINSZ, {ws_row=47, ws_col=173, ws_xpixel=1903, ws_ypixel=1008}) = 0 ioctl(6, TCGETS, {B38400 opost isig icanon echo ...}) = 0 ioctl(6, TIOCGPTN, [6]) = 0 ioctl(6, TIOCSPTLCK, [0]) = 0 ioctl(6, TCGETS, {B38400 opost isig icanon echo ...}) = 0 ioctl(6, TIOCGPTN, [6]) = 0 ioctl(8, SNDCTL_TMR_CONTINUE or TCSETSF, {B38400 -opost -isig -icanon -echo ...}) = 0 ioctl(8, TIOCSWINSZ, {ws_row=1, ws_col=0, ws_xpixel=4, ws_ypixel=0}) = 0 strace: Process 31081 attached [pid 31081] setsid() = 31081 [pid 31081] ioctl(8, TIOCSCTTY, 1) = 0 [pid 31081] execve("/tmp/hijack-tiocsti", ["/tmp/hijack-tiocsti"], 0x7ffff1dcd3d8 /* 27 vars */) = 0 [pid 31081] ioctl(0, TIOCSTI, "i") = 0 [pid 31081] ioctl(0, TIOCSTI, "d") = 0 [pid 31081] ioctl(0, TIOCSTI, "\n") = 0 [pid 31081] +++ exited with 0 +++ ioctl(0, SNDCTL_TMR_STOP or TCSETSW, {B38400 opost isig icanon echo ...}) = 0 +++ exited with 0 +++ [root@fedora-devel util-linux]# (in the latter output, we can see the additional setsid() call, and the 'id' command was not successfully passed to the shell) Statement: This issue affects the versions of util-linux as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. |