Bug 1300746 (CVE-2016-2568) - CVE-2016-2568 polkit: Program run via pkexec as unprivileged user can escape to parent session via TIOCSTI ioctl
Summary: CVE-2016-2568 polkit: Program run via pkexec as unprivileged user can escape ...
Alias: CVE-2016-2568
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1299955 1300747 1910646
Blocks: 1300748
TreeView+ depends on / blocked
Reported: 2016-01-21 15:42 UTC by Adam Mariš
Modified: 2023-09-22 09:20 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that pkexec was vulnerable to TIOCSTI ioctl attacks, allowing the executed program to push characters to its TTY's input buffer. While being executed as a non-privileged user, a specially crafted program could force its parent TTY to enter commands, interpreted by the shell when pkexec exits.
Clone Of:
Last Closed: 2018-03-05 12:20:10 UTC

Attachments (Terms of Use)

Description Adam Mariš 2016-01-21 15:42:31 UTC
It was reported that when executing a program via "pkexec --user nonpriv program", the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing privilege escalation.

Original bug report (contains reproducer):


Comment 1 Adam Mariš 2016-01-21 15:42:48 UTC
Created polkit tracking bugs for this issue:

Affects: fedora-all [bug 1300747]

Comment 2 Federico Manuel Bento 2016-01-26 14:37:03 UTC
I'd like to request a CVE for this issue, thanks.

Comment 3 Andrej Nemec 2016-02-26 07:53:05 UTC
CVE assignment:


Comment 6 Cedric Buissart 2018-03-05 12:20:20 UTC

This issue affects the versions of polkit as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 7 Cedric Buissart 2018-03-05 12:21:29 UTC
Latest kernel upstream discussion for a kernel side fix: https://patchwork.kernel.org/patch/9753697/

Note You need to log in before you can comment on or make changes to this bug.