1300746 – (CVE-2016-2568) CVE-2016-2568 polkit: Program run via pkexec as unprivileged user can escape to parent session via TIOCSTI ioctl

Bug 1300746 (CVE-2016-2568) - CVE-2016-2568 polkit: Program run via pkexec as unprivileged user can escape to parent session via TIOCSTI ioctl

Summary: CVE-2016-2568 polkit: Program run via pkexec as unprivileged user can escape ...

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2016-2568
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1299955 1300747 1910646
Blocks:	1300748
TreeView+	depends on / blocked

Reported:	2016-01-21 15:42 UTC by Adam Mariš
Modified:	2023-09-22 09:20 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	It was found that pkexec was vulnerable to TIOCSTI ioctl attacks, allowing the executed program to push characters to its TTY's input buffer. While being executed as a non-privileged user, a specially crafted program could force its parent TTY to enter commands, interpreted by the shell when pkexec exits.
Clone Of:
Environment:
Last Closed:	2018-03-05 12:20:10 UTC
Embargoed:

Attachments	(Terms of Use)

Description Adam Mariš 2016-01-21 15:42:31 UTC

It was reported that when executing a program via "pkexec --user nonpriv program", the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing privilege escalation.

Original bug report (contains reproducer):

https://bugzilla.redhat.com/show_bug.cgi?id=1299955

Comment 1 Adam Mariš 2016-01-21 15:42:48 UTC

Created polkit tracking bugs for this issue:

Affects: fedora-all [bug 1300747]

Comment 2 Federico Manuel Bento 2016-01-26 14:37:03 UTC

I'd like to request a CVE for this issue, thanks.

Comment 3 Andrej Nemec 2016-02-26 07:53:05 UTC

CVE assignment:

http://seclists.org/oss-sec/2016/q1/443

Comment 6 Cedric Buissart 2018-03-05 12:20:20 UTC

Statement:

This issue affects the versions of polkit as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 7 Cedric Buissart 2018-03-05 12:21:29 UTC

Latest kernel upstream discussion for a kernel side fix: https://patchwork.kernel.org/patch/9753697/

Note You need to log in before you can comment on or make changes to this bug.