Bug 1312863 (CVE-2016-2781)

Summary: CVE-2016-2781 coreutils: Non-privileged session can escape to the parent session in chroot
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, cbuissar, jonathan, kdudka, kzak, ovasik, slawomir, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was found that chroot was vulnerable to TIOCSTI ioctl attacks, allowing the executed program to push characters to its TTY's input buffer. While being executed as a non-privileged user, a specially crafted program could force its parent TTY to enter commands, interpreted by the shell when chroot exits.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-05 14:31:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1312864    
Bug Blocks: 1312867    

Description Adam Mariš 2016-02-29 12:10:09 UTC 
It was found that When executing a program via "chroot --userspec=someuser:somegroup / /path/to/test" the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer.

CVE assignment:

http://seclists.org/oss-sec/2016/q1/452
Comment 1 Adam Mariš 2016-02-29 12:11:07 UTC 
Created util-linux tracking bugs for this issue:

Affects: fedora-all [bug 1312864]
Comment 4 Ondrej Vasik 2016-04-04 12:48:39 UTC 
Is that really against coreutils? Based on http://marc.info/?l=util-linux-ng&m=145694736107128&w=2 (and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815922 ) it seems to be issue with runuser/su - therefore util-linux was IMHO correct.
Comment 5 Cedric Buissart 2016-04-05 15:35:33 UTC 
(In reply to Ondrej Vasik from comment #4)
> Is that really against coreutils? Based on
> http://marc.info/?l=util-linux-ng&m=145694736107128&w=2 (and
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815922 ) it seems to be
> issue with runuser/su - therefore util-linux was IMHO correct.

This BZ is for chroot jailbreak. 
the similar util-linux attack has its own BZ & CVE : CVE-2016-2779
Comment 6 Cedric Buissart 2016-04-08 10:16:36 UTC 
Marking Not-a-bug for RHEL5 based on the following : 
RHEL5's chroot command does not have a drop-privilege feature (i.e. : --userspec). chroot will run command as a root, and it is expected from root to be able to break out of the jail (see https://securityblog.redhat.com/2013/03/27/is-chroot-a-security-feature/ or https://en.wikipedia.org/wiki/Chroot#Limitations for additional information)
Comment 7 Kamil Dudka 2016-09-27 11:48:56 UTC 
I am not aware of any fix for chroot without unintended side-effect.  The situation is fairly well described in util-linux-2.28 release notes:

    This security issue is NOT FIXED yet.  It is possible to disable the ioctl
    TIOCSTI by setsid() only.  Unfortunately, setsid() has well-defined use
    cases in su(1) and runuser(1) and any changes would introduce regressions.
    It seems we need a better way -- ideally another ioctl (or whatever is
    supported by the kernel) to disable TIOCSTI without setsid().

https://www.kernel.org/pub/linux/utils/util-linux/v2.28/v2.28-ReleaseNotes

I am afraid the above statement applies to chroot, too.
Comment 8 Cedric Buissart 2016-09-27 12:50:21 UTC 
Yes it does, and to polkit as well (CVE-2016-2568).
This idea of the new ioctl was originally suggested in the thread http://www.spinics.net/lists/util-linux-ng/msg12451.html. 
There has been afaik no kernel side discussion, though.
Comment 13 Kamil Dudka 2017-08-29 15:10:34 UTC 
coreutils upstream has applied a similar patch (using libseccomp) on runcon:

http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.27-97-g8cb06d4
Comment 14 Kamil Dudka 2017-08-30 14:18:44 UTC 
(In reply to Kamil Dudka from comment #13)
> coreutils upstream has applied a similar patch (using libseccomp) on runcon:
> 
> http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.27-97-g8cb06d4

coreutils upstream has reverted the above patch:

http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.27-101-gf5d7c0842
Comment 15 Cedric Buissart 2018-03-05 14:31:26 UTC 
Statement:

This issue affects the versions of coreutils as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 16 Cedric Buissart 2018-03-05 14:40:29 UTC 
Notes: 
- There has been kernel side discussion, with a patch proposal, to prevent unprivileged users to issue TIOCSTI ioctl. However, so far, the patchset has not been merged:
https://patchwork.kernel.org/patch/9753697/

- since v2.31, util-linux has added a --pty option (currently non-default), to prevent these attacks in runuser and su, via a setsid() call.