Bug 1300746 (CVE-2016-2568) - CVE-2016-2568 polkit: Program run via pkexec as unprivileged user can escape to parent session via TIOCSTI ioctl
Summary: CVE-2016-2568 polkit: Program run via pkexec as unprivileged user can escape ...
Status: CLOSED WONTFIX
Alias: CVE-2016-2568
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20160119,repor...
Keywords: Security
Depends On: 1299955 1300747
Blocks: 1300748
TreeView+ depends on / blocked
 
Reported: 2016-01-21 15:42 UTC by Adam Mariš
Modified: 2019-06-08 20:57 UTC (History)
6 users (show)

(edit)
It was found that pkexec was vulnerable to TIOCSTI ioctl attacks, allowing the executed program to push characters to its TTY's input buffer. While being executed as a non-privileged user, a specially crafted program could force its parent TTY to enter commands, interpreted by the shell when pkexec exits.
Clone Of:
(edit)
Last Closed: 2018-03-05 12:20:10 UTC


Attachments (Terms of Use)

Description Adam Mariš 2016-01-21 15:42:31 UTC
It was reported that when executing a program via "pkexec --user nonpriv program", the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing privilege escalation.

Original bug report (contains reproducer):

https://bugzilla.redhat.com/show_bug.cgi?id=1299955

Comment 1 Adam Mariš 2016-01-21 15:42:48 UTC
Created polkit tracking bugs for this issue:

Affects: fedora-all [bug 1300747]

Comment 2 Federico Manuel Bento 2016-01-26 14:37:03 UTC
I'd like to request a CVE for this issue, thanks.

Comment 3 Andrej Nemec 2016-02-26 07:53:05 UTC
CVE assignment:

http://seclists.org/oss-sec/2016/q1/443

Comment 6 Cedric Buissart 🐶 2018-03-05 12:20:20 UTC
Statement:

This issue affects the versions of polkit as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 7 Cedric Buissart 🐶 2018-03-05 12:21:29 UTC
Latest kernel upstream discussion for a kernel side fix: https://patchwork.kernel.org/patch/9753697/


Note You need to log in before you can comment on or make changes to this bug.