Bug 1312863 (CVE-2016-2781) - CVE-2016-2781 coreutils: Non-privileged session can escape to the parent session in chroot
Summary: CVE-2016-2781 coreutils: Non-privileged session can escape to the parent sess...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2016-2781
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1312864
Blocks: 1312867
TreeView+ depends on / blocked
 
Reported: 2016-02-29 12:10 UTC by Adam Mariš
Modified: 2019-09-29 13:45 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that chroot was vulnerable to TIOCSTI ioctl attacks, allowing the executed program to push characters to its TTY's input buffer. While being executed as a non-privileged user, a specially crafted program could force its parent TTY to enter commands, interpreted by the shell when chroot exits.
Clone Of:
Environment:
Last Closed: 2018-03-05 14:31:17 UTC


Attachments (Terms of Use)

Description Adam Mariš 2016-02-29 12:10:09 UTC
It was found that When executing a program via "chroot --userspec=someuser:somegroup / /path/to/test" the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer.

CVE assignment:

http://seclists.org/oss-sec/2016/q1/452

Comment 1 Adam Mariš 2016-02-29 12:11:07 UTC
Created util-linux tracking bugs for this issue:

Affects: fedora-all [bug 1312864]

Comment 4 Ondrej Vasik 2016-04-04 12:48:39 UTC
Is that really against coreutils? Based on http://marc.info/?l=util-linux-ng&m=145694736107128&w=2 (and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815922 ) it seems to be issue with runuser/su - therefore util-linux was IMHO correct.

Comment 5 Cedric Buissart 🐶 2016-04-05 15:35:33 UTC
(In reply to Ondrej Vasik from comment #4)
> Is that really against coreutils? Based on
> http://marc.info/?l=util-linux-ng&m=145694736107128&w=2 (and
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815922 ) it seems to be
> issue with runuser/su - therefore util-linux was IMHO correct.

This BZ is for chroot jailbreak. 
the similar util-linux attack has its own BZ & CVE : CVE-2016-2779

Comment 6 Cedric Buissart 🐶 2016-04-08 10:16:36 UTC
Marking Not-a-bug for RHEL5 based on the following : 
RHEL5's chroot command does not have a drop-privilege feature (i.e. : --userspec). chroot will run command as a root, and it is expected from root to be able to break out of the jail (see https://securityblog.redhat.com/2013/03/27/is-chroot-a-security-feature/ or https://en.wikipedia.org/wiki/Chroot#Limitations for additional information)

Comment 7 Kamil Dudka 2016-09-27 11:48:56 UTC
I am not aware of any fix for chroot without unintended side-effect.  The situation is fairly well described in util-linux-2.28 release notes:

    This security issue is NOT FIXED yet.  It is possible to disable the ioctl
    TIOCSTI by setsid() only.  Unfortunately, setsid() has well-defined use
    cases in su(1) and runuser(1) and any changes would introduce regressions.
    It seems we need a better way -- ideally another ioctl (or whatever is
    supported by the kernel) to disable TIOCSTI without setsid().

https://www.kernel.org/pub/linux/utils/util-linux/v2.28/v2.28-ReleaseNotes

I am afraid the above statement applies to chroot, too.

Comment 8 Cedric Buissart 🐶 2016-09-27 12:50:21 UTC
Yes it does, and to polkit as well (CVE-2016-2568).
This idea of the new ioctl was originally suggested in the thread http://www.spinics.net/lists/util-linux-ng/msg12451.html. 
There has been afaik no kernel side discussion, though.

Comment 13 Kamil Dudka 2017-08-29 15:10:34 UTC
coreutils upstream has applied a similar patch (using libseccomp) on runcon:

http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.27-97-g8cb06d4

Comment 14 Kamil Dudka 2017-08-30 14:18:44 UTC
(In reply to Kamil Dudka from comment #13)
> coreutils upstream has applied a similar patch (using libseccomp) on runcon:
> 
> http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.27-97-g8cb06d4

coreutils upstream has reverted the above patch:

http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.27-101-gf5d7c0842

Comment 15 Cedric Buissart 🐶 2018-03-05 14:31:26 UTC
Statement:

This issue affects the versions of coreutils as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 16 Cedric Buissart 🐶 2018-03-05 14:40:29 UTC
Notes: 
- There has been kernel side discussion, with a patch proposal, to prevent unprivileged users to issue TIOCSTI ioctl. However, so far, the patchset has not been merged:
https://patchwork.kernel.org/patch/9753697/

- since v2.31, util-linux has added a --pty option (currently non-default), to prevent these attacks in runuser and su, via a setsid() call.


Note You need to log in before you can comment on or make changes to this bug.