It was found that when executing a program via "runuser -u nonpriv program" the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing privilege escalation. This issue has been fixed in "su" by calling setsid() and in "sudo" by using the "use_pty" flag. CVE request (contains reproducer): http://seclists.org/oss-sec/2016/q1/447
Created util-linux tracking bugs for this issue: Affects: fedora-all [bug 1312855]
Upstream util-linux, since v2.31, adds an additional '--pty' option (currently disabled by default) for the runuser and su commands, that enforces a setsid() call, preventing these attacks : == without the --pty option == [root@fedora-devel util-linux]# strace -f -e execve,setsid,ioctl ./runuser -u cedric /tmp/hijack-tiocsti execve("./runuser", ["./runuser", "-u", "cedric", "/tmp/hijack-tiocsti"], 0x7ffccc142a50 /* 27 vars */) = 0 ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0 ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0 ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0 strace: Process 31076 attached [pid 31076] execve("/tmp/hijack-tiocsti", ["/tmp/hijack-tiocsti"], 0x7ffd5b1709f0 /* 27 vars */) = 0 [pid 31076] ioctl(0, TIOCSTI, "i"i) = 0 [pid 31076] ioctl(0, TIOCSTI, "d"d) = 0 [pid 31076] ioctl(0, TIOCSTI, "\n" ) = 0 [pid 31076] +++ exited with 0 +++ +++ exited with 0 +++ [root@fedora-devel util-linux]# id uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 == with the --pty option == [root@fedora-devel util-linux]# strace -f -e execve,setsid,ioctl ./runuser --pty -u cedric /tmp/hijack-tiocsti execve("./runuser", ["./runuser", "--pty", "-u", "cedric", "/tmp/hijack-tiocsti"], 0x7ffdde3810d8 /* 27 vars */) = 0 ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0 ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0 ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0 ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0 ioctl(0, TIOCGWINSZ, {ws_row=47, ws_col=173, ws_xpixel=1903, ws_ypixel=1008}) = 0 ioctl(6, TCGETS, {B38400 opost isig icanon echo ...}) = 0 ioctl(6, TIOCGPTN, [6]) = 0 ioctl(6, TIOCSPTLCK, [0]) = 0 ioctl(6, TCGETS, {B38400 opost isig icanon echo ...}) = 0 ioctl(6, TIOCGPTN, [6]) = 0 ioctl(8, SNDCTL_TMR_CONTINUE or TCSETSF, {B38400 -opost -isig -icanon -echo ...}) = 0 ioctl(8, TIOCSWINSZ, {ws_row=1, ws_col=0, ws_xpixel=4, ws_ypixel=0}) = 0 strace: Process 31081 attached [pid 31081] setsid() = 31081 [pid 31081] ioctl(8, TIOCSCTTY, 1) = 0 [pid 31081] execve("/tmp/hijack-tiocsti", ["/tmp/hijack-tiocsti"], 0x7ffff1dcd3d8 /* 27 vars */) = 0 [pid 31081] ioctl(0, TIOCSTI, "i") = 0 [pid 31081] ioctl(0, TIOCSTI, "d") = 0 [pid 31081] ioctl(0, TIOCSTI, "\n") = 0 [pid 31081] +++ exited with 0 +++ ioctl(0, SNDCTL_TMR_STOP or TCSETSW, {B38400 opost isig icanon echo ...}) = 0 +++ exited with 0 +++ [root@fedora-devel util-linux]# (in the latter output, we can see the additional setsid() call, and the 'id' command was not successfully passed to the shell)
Statement: This issue affects the versions of util-linux as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.