Bug 1312852 - (CVE-2016-2779) CVE-2016-2779 util-linux: runuser tty hijack via TIOCSTI ioctl
CVE-2016-2779 util-linux: runuser tty hijack via TIOCSTI ioctl
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20160226,repor...
: Security
Depends On: 1312855 1551608
Blocks: 1312867
  Show dependency treegraph
 
Reported: 2016-02-29 06:57 EST by Adam Mariš
Modified: 2018-05-04 09:16 EDT (History)
5 users (show)

See Also:
Fixed In Version: util-linux 2.31
Doc Type: Bug Fix
Doc Text:
It was found that runuser was vulnerable to TIOCSTI ioctl attacks, allowing the executed program to push characters to its TTY's input buffer. While being executed as a non-privileged user, a specially crafted program could force its parent TTY to enter commands, interpreted by the shell when runuser exits.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-03-05 08:59:06 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2016-02-29 06:57:29 EST
It was found that when executing a program via "runuser -u nonpriv program" the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing privilege escalation. This issue has been fixed in "su" by calling setsid() and in "sudo" by using the "use_pty" flag.

CVE request (contains reproducer):

http://seclists.org/oss-sec/2016/q1/447
Comment 1 Adam Mariš 2016-02-29 06:59:37 EST
Created util-linux tracking bugs for this issue:

Affects: fedora-all [bug 1312855]
Comment 6 Cedric Buissart 2018-03-05 08:42:45 EST
Upstream util-linux, since v2.31, adds an additional '--pty' option (currently disabled by default) for the runuser and su commands, that enforces a setsid() call, preventing these attacks :

== without the --pty option ==
[root@fedora-devel util-linux]# strace -f -e execve,setsid,ioctl ./runuser  -u cedric /tmp/hijack-tiocsti
execve("./runuser", ["./runuser", "-u", "cedric", "/tmp/hijack-tiocsti"], 0x7ffccc142a50 /* 27 vars */) = 0
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
strace: Process 31076 attached
[pid 31076] execve("/tmp/hijack-tiocsti", ["/tmp/hijack-tiocsti"], 0x7ffd5b1709f0 /* 27 vars */) = 0
[pid 31076] ioctl(0, TIOCSTI, "i"i)      = 0
[pid 31076] ioctl(0, TIOCSTI, "d"d)      = 0
[pid 31076] ioctl(0, TIOCSTI, "\n"
)     = 0
[pid 31076] +++ exited with 0 +++
+++ exited with 0 +++
[root@fedora-devel util-linux]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023



== with the --pty option ==
[root@fedora-devel util-linux]# strace -f -e execve,setsid,ioctl ./runuser --pty -u cedric /tmp/hijack-tiocsti
execve("./runuser", ["./runuser", "--pty", "-u", "cedric", "/tmp/hijack-tiocsti"], 0x7ffdde3810d8 /* 27 vars */) = 0
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(0, TIOCGWINSZ, {ws_row=47, ws_col=173, ws_xpixel=1903, ws_ypixel=1008}) = 0
ioctl(6, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(6, TIOCGPTN, [6])                 = 0
ioctl(6, TIOCSPTLCK, [0])               = 0
ioctl(6, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(6, TIOCGPTN, [6])                 = 0
ioctl(8, SNDCTL_TMR_CONTINUE or TCSETSF, {B38400 -opost -isig -icanon -echo ...}) = 0
ioctl(8, TIOCSWINSZ, {ws_row=1, ws_col=0, ws_xpixel=4, ws_ypixel=0}) = 0
strace: Process 31081 attached
[pid 31081] setsid()                    = 31081
[pid 31081] ioctl(8, TIOCSCTTY, 1)      = 0
[pid 31081] execve("/tmp/hijack-tiocsti", ["/tmp/hijack-tiocsti"], 0x7ffff1dcd3d8 /* 27 vars */) = 0
[pid 31081] ioctl(0, TIOCSTI, "i")      = 0
[pid 31081] ioctl(0, TIOCSTI, "d")      = 0
[pid 31081] ioctl(0, TIOCSTI, "\n")     = 0
[pid 31081] +++ exited with 0 +++
ioctl(0, SNDCTL_TMR_STOP or TCSETSW, {B38400 opost isig icanon echo ...}) = 0
+++ exited with 0 +++
[root@fedora-devel util-linux]#

(in the latter output, we can see the additional setsid() call, and the 'id' command was not successfully passed to the shell)
Comment 8 Cedric Buissart 2018-03-05 08:59:16 EST
Statement:

This issue affects the versions of util-linux as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Note You need to log in before you can comment on or make changes to this bug.