login: su, sudo: Local security hole -- arbitrary character injection
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
shadow (Debian) |
Fix Released
|
Unknown
|
|||
shadow (Ubuntu) |
Invalid
|
Low
|
Unassigned |
Bug Description
Automatically imported from Debian bug report #262453 http://
In Debian Bug tracker #262453, Jan Minar (jjminar) wrote : merging 262453 262455 | #1 |
In Debian Bug tracker #262453, Karl Ramm (kcr) wrote : Re: Bug#262453: login: su, sudo: Local security hole -- arbitrary character injection | #2 |
closing duplicate report
In Debian Bug tracker #262453, Karl Ramm (kcr) wrote : delete duplicate report | #3 |
unmerge 262453
reopen 262455
thanks
Undo incorrect merge and reopen
kcr
In Debian Bug tracker #262453, Matt Zimmerman (mdz) wrote : Re: Bug#262453: login: su, sudo: Local security hole -- arbitrary character injection | #4 |
tags 262453 - security
tags 262454 - security
tags 262629 - security
thanks
On Sat, Jul 31, 2004 at 04:12:44AM +0200, Jan Minar wrote:
> Package: login
> Version: 20000902-12
> Severity: critical
> Justification: root security hole
> Tags: security
>
> Hi.
>
> As Russell Coker pointed out in
> [1]<email address hidden>, there is a flaw in su &
> sudo which allows the attacker to staff arbitrary characters into the
> caller's keyboard buffer.
>
> [1] http://
>
> Because the file descriptor(s) pointing to the tty aren't closed, and
> the su/sudo process is not a session leader:
You mustn't take the beginning of a discussion on a mailing list and go
about filing Severity: critical bugs by way of a followup. By all means,
follow the discussion and participate if it interests you, but don't begin
by filing high-severity bugs.
> Even worse, su/sudo can't be used as a sandboxing/
> tool
Sounds like a feature request; the man pages don't describe this use case,
and there are certainly many other ways that a process running under su/sudo
can attempt to exploit the user invoking it.
> Simply put, the process being run using su/sudo shouldn't have any access
> to your tty in the first place.
Have you thought about this? Undoubtedly the most common use case for su is
to start a shell, and you're saying that it shouldn't have any access to the
tty. That's a sign to slow down and reconsider the situation. I think that
you filed these bugs as a premature reaction to a potential new security
concern.
Please delay filing of bugs requesting changes in packages until there has
been discussion and consensus on this subject.
--
- mdz
In Debian Bug tracker #262453, Matt Zimmerman (mdz) wrote : | #6 |
On Sun, Aug 01, 2004 at 08:16:31PM +0200, Jan Minar wrote:
> On Sun, Aug 01, 2004 at 09:54:45AM -0700, Matt Zimmerman wrote:
> > tags 262453 - security
> > tags 262454 - security
> > tags 262629 - security
>
> Do You mean by this the ability of one UID to execute commands on behalf
> of another UID is not security related??
I mean that you are not handling this issue appropriately.
> In fact, I read both the debian-security & fedora-devel threads. I really
> don't get why You got so upset about my writing the POC, checking that
> those three programs are vulnerable, and writing the bugreports.
I read the debian-security thread (all 6 messages), and at no point was
there cause to panic and file 4 critical bugs demanding that maintainers
make a change that you unilaterally chose.
Indeed, Russell explained why this issue would be very complex to solve in
su
> > Sounds like a feature request; the man pages don't describe this use
> > case, and there are certainly many other ways that a process running
> > under su/sudo can attempt to exploit the user invoking it.
>
> There are zillions of scripts in /etc/init.d/ that use su/sudo for
> dropping privileges.
I have never seen a single Debian init script use sudo, so I would be
interested if you could show me at least one of the "zillions". I would
consider it a bug.
On my system (147 init scripts), a total of three (3) use su, one of those
uses it correctly (without inheriting stdin/stdout/
uses it in a certain non-default configuration.
> And I've yet to learn of a way to drop privileges in a more secure way.
start-stop-daemon opens /dev/null on stdin/stdout/
other file descriptors.
> > > Simply put, the process being run using su/sudo shouldn't have any access
> > > to your tty in the first place.
>
> After it (apparently) exits, that's what I meant. -- The new thing here
> would be wrt the su (sudo/super/...) session, backgrounded processes
> would be denied read/write/execute access to the tty, if the su session
> ended, or if the current foreground process was not part of the su
> session.
Linux does not provide any way to revoke privileges from a process once they
have been granted, so this is equivalent to what you said before.
--
- mdz
In Debian Bug tracker #262453, Karl Ramm (kcr) wrote : make sure everything is recorded together | #7 |
tags 262455 - security
reopen 262453
tage 262453 - security
merge 262453 262455
thanks
Due to an unfortunate series of events, the discussion ended up spread
across several logs. This reopens and remerges the bugs so they can be
closed as one.
kcr
Debian Bug Importer (debzilla) wrote : | #8 |
Automatically imported from Debian bug report #262453 http://
Debian Bug Importer (debzilla) wrote : | #9 |
Message-ID: <email address hidden>
Date: Sat, 31 Jul 2004 04:12:44 +0200
From: Jan Minar <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: login: su, sudo: Local security hole -- arbitrary character injection
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Package: login
Version: 20000902-12
Severity: critical
Justification: root security hole
Tags: security
Hi.
As Russell Coker pointed out in
[1]<email address hidden>, there is a flaw in su &
sudo which allows the attacker to staff arbitrary characters into the
caller's keyboard buffer.
[1] http://
Because the file descriptor(s) pointing to the tty aren't closed, and
the su/sudo process is not a session leader:
> [...] any other code running in the same UID could take over the
> process via ptrace, fork off a child process that inherits the
> administrator tty, and then stuff characters into the keyboard buffer
> with ioctl(fd,
Note that there are some programs that are routinely run this way, such
as /etc/init.d/* .
Even worse, su/sudo can't be used as a sandboxing/
tool, as a malicious code could be *written* to exploit this loophole.
Also, once the remote attacker has taken the control of the service,
s/he can inject keystrokes, too. Simply put, the process being run
using su/sudo shouldn't have any access to your tty in the first place.
Also, allowing ptrace()ing of processes run with su/sudo opens the door
to various scams and program output manipulation which wouldn't be
possible if the caller run the program under his/her UID.
Cheers,
Jan
- -- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux kontryhel 2.4.26-jan #6 SMP Tue Jul 27 21:24:30 CEST 2004 i686
Locale: LANG=C, LC_CTYPE=
Versions of packages login depends on:
ii libc6 2.2.5-11.5 GNU C Library: Shared libraries an
ii libpam-modules 0.72-35 Pluggable Authentication Modules f
ii libpam0g 0.72-35 Pluggable Authentication Modules l
- --
"To me, clowns aren't funny. In fact, they're kind of scary. I've wondered
where this started and I think it goes back to the time I went to the circus,
and a clown killed my dad."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://
iD8DBQFBCwAb+
vuoBDwLWkFv6ZLw
=FUXX
-----END PGP SIGNATURE-----
Debian Bug Importer (debzilla) wrote : | #10 |
Message-Id: <email address hidden>
Date: Sat, 31 Jul 2004 05:35:56 +0200 (CEST)
From: <email address hidden> (Jan Minar)
To: <email address hidden>
Subject: merging 262453 262455
merge 262453 262455
Debian Bug Importer (debzilla) wrote : | #11 |
Message-ID: <email address hidden>
Date: 31 Jul 2004 01:19:07 -0400
From: <email address hidden>
To: <email address hidden>
Subject: Re: Bug#262453: login: su, sudo: Local security hole -- arbitrary character injection
closing duplicate report
Debian Bug Importer (debzilla) wrote : | #12 |
Message-ID: <email address hidden>
Date: 31 Jul 2004 11:21:44 -0400
From: <email address hidden>
To: <email address hidden>
Subject: delete duplicate report
unmerge 262453
reopen 262455
thanks
Undo incorrect merge and reopen
kcr
Debian Bug Importer (debzilla) wrote : | #13 |
Message-ID: <email address hidden>
Date: Sun, 1 Aug 2004 09:54:45 -0700
From: Matt Zimmerman <email address hidden>
To: Jan Minar <email address hidden>, <email address hidden>,
<email address hidden>, <email address hidden>
Cc: Russell Coker <email address hidden>
Subject: Re: Bug#262453: login: su, sudo: Local security hole -- arbitrary character injection
tags 262453 - security
tags 262454 - security
tags 262629 - security
thanks
On Sat, Jul 31, 2004 at 04:12:44AM +0200, Jan Minar wrote:
> Package: login
> Version: 20000902-12
> Severity: critical
> Justification: root security hole
> Tags: security
>
> Hi.
>
> As Russell Coker pointed out in
> [1]<email address hidden>, there is a flaw in su &
> sudo which allows the attacker to staff arbitrary characters into the
> caller's keyboard buffer.
>
> [1] http://
>
> Because the file descriptor(s) pointing to the tty aren't closed, and
> the su/sudo process is not a session leader:
You mustn't take the beginning of a discussion on a mailing list and go
about filing Severity: critical bugs by way of a followup. By all means,
follow the discussion and participate if it interests you, but don't begin
by filing high-severity bugs.
> Even worse, su/sudo can't be used as a sandboxing/
> tool
Sounds like a feature request; the man pages don't describe this use case,
and there are certainly many other ways that a process running under su/sudo
can attempt to exploit the user invoking it.
> Simply put, the process being run using su/sudo shouldn't have any access
> to your tty in the first place.
Have you thought about this? Undoubtedly the most common use case for su is
to start a shell, and you're saying that it shouldn't have any access to the
tty. That's a sign to slow down and reconsider the situation. I think that
you filed these bugs as a premature reaction to a potential new security
concern.
Please delay filing of bugs requesting changes in packages until there has
been discussion and consensus on this subject.
--
- mdz
Debian Bug Importer (debzilla) wrote : | #14 |
Message-ID: <email address hidden>
Date: Sun, 1 Aug 2004 20:16:31 +0200
From: Jan Minar <email address hidden>
To: Matt Zimmerman <email address hidden>
Cc: <email address hidden>, <email address hidden>,
<email address hidden>, Russell Coker <email address hidden>
Subject: Re: Bug#262453: login: su, sudo: Local security hole -- arbitrary character injection
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sun, Aug 01, 2004 at 09:54:45AM -0700, Matt Zimmerman wrote:
> tags 262453 - security
> tags 262454 - security
> tags 262629 - security
Do You mean by this the ability of one UID to execute commands on behalf
of another UID is not security related??
> > Because the file descriptor(s) pointing to the tty aren't closed, and
> > the su/sudo process is not a session leader:
>
> You mustn't take the beginning of a discussion on a mailing list and go
> about filing Severity: critical bugs by way of a followup. By all means,
> follow the discussion and participate if it interests you, but don't begin
> by filing high-severity bugs.
In fact, I read both the debian-security & fedora-devel threads. I
really don't get why You got so upset about my writing the POC, checking
that those three programs are vulnerable, and writing the bugreports.
> > Even worse, su/sudo can't be used as a sandboxing/
> > tool
>
> Sounds like a feature request; the man pages don't describe this use case,
> and there are certainly many other ways that a process running under su/sudo
> can attempt to exploit the user invoking it.
There are zillions of scripts in /etc/init.d/ that use su/sudo for
dropping privileges. And I've yet to learn of a way to drop privileges
in a more secure way.
> > Simply put, the process being run using su/sudo shouldn't have any access
> > to your tty in the first place.
After it (apparently) exits, that's what I meant. -- The new thing here
would be wrt the su (sudo/super/...) session, backgrounded processes
would be denied read/write/execute access to the tty, if the su session
ended, or if the current foreground process was not part of the su
session.
Jan.
- --
"To me, clowns aren't funny. In fact, they're kind of scary. I've wondered
where this started and I think it goes back to the time I went to the circus,
and a clown killed my dad."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://
iD4DBQFBDTN/
XXQYmLFpMyzkGYL
=L1DD
-----END PGP SIGNATURE-----
Debian Bug Importer (debzilla) wrote : | #15 |
Message-ID: <email address hidden>
Date: Sun, 1 Aug 2004 11:41:11 -0700
From: Matt Zimmerman <email address hidden>
To: Jan Minar <email address hidden>
Cc: <email address hidden>, <email address hidden>, <email address hidden>,
Russell Coker <email address hidden>
Subject: Re: Bug#262453: login: su, sudo: Local security hole -- arbitrary character injection
On Sun, Aug 01, 2004 at 08:16:31PM +0200, Jan Minar wrote:
> On Sun, Aug 01, 2004 at 09:54:45AM -0700, Matt Zimmerman wrote:
> > tags 262453 - security
> > tags 262454 - security
> > tags 262629 - security
>
> Do You mean by this the ability of one UID to execute commands on behalf
> of another UID is not security related??
I mean that you are not handling this issue appropriately.
> In fact, I read both the debian-security & fedora-devel threads. I really
> don't get why You got so upset about my writing the POC, checking that
> those three programs are vulnerable, and writing the bugreports.
I read the debian-security thread (all 6 messages), and at no point was
there cause to panic and file 4 critical bugs demanding that maintainers
make a change that you unilaterally chose.
Indeed, Russell explained why this issue would be very complex to solve in
su
> > Sounds like a feature request; the man pages don't describe this use
> > case, and there are certainly many other ways that a process running
> > under su/sudo can attempt to exploit the user invoking it.
>
> There are zillions of scripts in /etc/init.d/ that use su/sudo for
> dropping privileges.
I have never seen a single Debian init script use sudo, so I would be
interested if you could show me at least one of the "zillions". I would
consider it a bug.
On my system (147 init scripts), a total of three (3) use su, one of those
uses it correctly (without inheriting stdin/stdout/
uses it in a certain non-default configuration.
> And I've yet to learn of a way to drop privileges in a more secure way.
start-stop-daemon opens /dev/null on stdin/stdout/
other file descriptors.
> > > Simply put, the process being run using su/sudo shouldn't have any access
> > > to your tty in the first place.
>
> After it (apparently) exits, that's what I meant. -- The new thing here
> would be wrt the su (sudo/super/...) session, backgrounded processes
> would be denied read/write/execute access to the tty, if the su session
> ended, or if the current foreground process was not part of the su
> session.
Linux does not provide any way to revoke privileges from a process once they
have been granted, so this is equivalent to what you said before.
--
- mdz
Debian Bug Importer (debzilla) wrote : | #16 |
Message-ID: <email address hidden>
Date: 02 Aug 2004 02:47:27 -0400
From: <email address hidden>
To: <email address hidden>
Subject: make sure everything is recorded together
tags 262455 - security
reopen 262453
tage 262453 - security
merge 262453 262455
thanks
Due to an unfortunate series of events, the discussion ended up spread
across several logs. This reopens and remerges the bugs so they can be
closed as one.
kcr
Debian Bug Importer (debzilla) wrote : | #17 |
*** Bug 7276 has been marked as a duplicate of this bug. ***
In Debian Bug tracker #262453, Thomas Hood (jdthood-aglu) wrote : severity noncritical | #18 |
severity 262453 important
thanks
Perhaps something can be done to make su less risky to use
in certain ways. For now, as the maintainer said, the submitter
> should be bothering the people who maintain the kernel and/or
> the people who maintain packages that drop privilege with su.
Debian Bug Importer (debzilla) wrote : | #19 |
Message-Id: <email address hidden>
Date: Fri, 20 Aug 2004 18:36:52 +0200
From: Thomas Hood <email address hidden>
To: <email address hidden>
Subject: severity noncritical
severity 262453 important
thanks
Perhaps something can be done to make su less risky to use
in certain ways. For now, as the maintainer said, the submitter
> should be bothering the people who maintain the kernel and/or
> the people who maintain packages that drop privilege with su.
Matt Zimmerman (mdz) wrote : | #20 |
Not really a bug in these applications
In Debian Bug tracker #262453, Christian Perrier (bubulle) wrote : Dealing with these bug reports will certainly need external input | #21 |
tags 262453 help upstream
tags 262455 help upstream
retitle 262453 [EXPERT] login: su, sudo: Local security hole -- arbitrary character injection
retitle 262455 [EXPERT] login: su, sudo, super: Local security hole -- arbitrary character injection
thanks
The nature of these bugs and the added comments lead me to think we
might need external help to deal with them properly.
Tomasz, may you have a look at them.
I tag the bugs accordingly and thus introduce a new pseudo-tag in
titles (a method I steal from the dpkg maintainer) to show out that
some deep expertise is needed to help us in that issue which must
probably be discussed with Debian security experts.
--
Debian Bug Importer (debzilla) wrote : | #22 |
Message-ID: <email address hidden>
Date: Wed, 23 Mar 2005 20:02:46 +0100
From: Christian Perrier <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: Dealing with these bug reports will certainly need external input
tags 262453 help upstream
tags 262455 help upstream
retitle 262453 [EXPERT] login: su, sudo: Local security hole -- arbitrary character injection
retitle 262455 [EXPERT] login: su, sudo, super: Local security hole -- arbitrary character injection
thanks
The nature of these bugs and the added comments lead me to think we
might need external help to deal with them properly.
Tomasz, may you have a look at them.
I tag the bugs accordingly and thus introduce a new pseudo-tag in
titles (a method I steal from the dpkg maintainer) to show out that
some deep expertise is needed to help us in that issue which must
probably be discussed with Debian security experts.
--
In Debian Bug tracker #262453, Christian Perrier (bubulle) wrote : Bug 262453: Marking one of these bugs as wontfix and closing one of both as duplicate | #23 |
severity 262453 normal
tags 262453 wontfix
thanks
Tomasz, at least could you have a look at http://
All advices in these bug logs actually show that su/sudo is probably
not the right place to fix the issue.
Having no clue about the right place to fix this, I hereby close one
of the bugs. The other one will probably seat forever in passwd bug
log, unless Tomasz fixes it upstream.
As this may be unlikely, I tag the bug as "wontfix". At least, for
sure, we won't fix this alone in the Debian package.
Last comments from IRC:
11:52 < rleigh> bubulle: It's not something I'm all that familiar with, but it seems somewhat
it being possible to fix in su/sudo, because the most common use cases involve
or at least requiring stdin/stdout/stderr (so the file descriptors can't be
11:52 < rleigh> start-stop-daemon, though. For the others, I think it needs fixing in the init
11:57 < bubulle> well given that advice and mdz comments in the bug log I'm very tempted to
12:01 < rleigh> bubulle: I'm not saying it's not exploitable, but I don't think su/sudo is the
the file descriptors.
--
Debian Bug Importer (debzilla) wrote : | #24 |
Message-ID: <email address hidden>
Date: Sun, 11 Sep 2005 12:31:06 +0200
From: Christian Perrier <email address hidden>
To: Tomasz =?utf-8?
Cc: <email address hidden>, <email address hidden>
Subject: Bug 262453: Marking one of these bugs as wontfix and closing one of both as duplicate
severity 262453 normal
tags 262453 wontfix
thanks
Tomasz, at least could you have a look at http://
bugreport.cgi?bug=3D262453=A0?
All advices in these bug logs actually show that su/sudo is probably
not the right place to fix the issue.
Having no clue about the right place to fix this, I hereby close one
of the bugs. The other one will probably seat forever in passwd bug
log, unless Tomasz fixes it upstream.
As this may be unlikely, I tag the bug as "wontfix". At least, for
sure, we won't fix this alone in the Debian package.
Last comments from IRC:
11:52 < rleigh> bubulle: It's not something I'm all that familiar with, b=
ut it seems somewhat
in any case. I can't see
it being possible to fix in su/sudo, because the most com=
mon use cases involve
d being either interactive
or at least requiring stdin/stdout/stderr (so the file de=
scriptors can't be
11:52 < rleigh> start-stop-daemon, though. For the others, I think it ne=
eds fixing in the init
11:57 < bubulle> well given that advice and mdz comments in the bug log I=
'm very tempted to
12:01 < rleigh> bubulle: I'm not saying it's not exploitable, but I don't=
think su/sudo is the
option to tell it it was
to setsid() and clean up
the file descriptors.
--=20
reopen 262453
reopen 262455
unmerge 262453 262455
close 262455
thanks
reopen 262453
reopen 262455
unmerge 262455
close 262455
Debian Bug Importer (debzilla) wrote : | #27 |
Message-ID: <email address hidden>
Date: Sun, 11 Sep 2005 15:51:08 +0200
From: Christian Perrier <email address hidden>
To: <email address hidden>
Subject: Re: [Pkg-shadow-devel] Bug#262453: marked as done ([EXPERT] login: su,
sudo: Local security hole -- arbitrary character injection)
reopen 262453
reopen 262455
unmerge 262453 262455
close 262455
thanks
Debian Bug Importer (debzilla) wrote : | #28 |
Message-ID: <email address hidden>
Date: Sun, 11 Sep 2005 16:10:43 +0200
From: Christian Perrier <email address hidden>
To: <email address hidden>
Subject: Re: Processed: Re: [Pkg-shadow-devel] Bug#262453: marked as done ([EXPERT] login: su,
sudo: Local security hole -- arbitrary character injection)
reopen 262453
reopen 262455
unmerge 262455
close 262455
In Debian Bug tracker #262453, Christian Perrier (bubulle) wrote : bug 262453 is not forwarded | #29 |
# Automatically generated email from bts, devscripts version 2.9.8
notforwarded 262453
Debian Bug Importer (debzilla) wrote : | #30 |
Message-Id: <email address hidden>
Date: Thu, 27 Oct 2005 23:17:37 +0200
From: Christian Perrier <email address hidden>
To: <email address hidden>
Subject: bug 262453 is not forwarded
# Automatically generated email from bts, devscripts version 2.9.8
notforwarded 262453
In Debian Bug tracker #262453, Christian Perrier (bubulle) wrote : Retitle bugs | #31 |
retitle 334264 shadow: [INTL:sv] Swedish programs translation
retitle 276419 su appends the positional args to the command line
retitle 277767 su segfaults using encrypted LDAP (online)
owner 332198 Alexander Gattin <email address hidden>
retitle 262453 login: su, sudo: Local security hole -- arbitrary character injection
retitle 296729 useradd does not preserve sticky bits on directories from the skeleton
thans
--
Debian Bug Importer (debzilla) wrote : | #32 |
Message-ID: <email address hidden>
Date: Fri, 28 Oct 2005 22:07:39 +0200
From: Christian Perrier <email address hidden>
To: <email address hidden>
Subject: Retitle bugs
retitle 334264 shadow: [INTL:sv] Swedish programs translation
retitle 276419 su appends the positional args to the command line
retitle 277767 su segfaults using encrypted LDAP (online)
owner 332198 Alexander Gattin <email address hidden>
retitle 262453 login: su, sudo: Local security hole -- arbitrary character injection
retitle 296729 useradd does not preserve sticky bits on directories from the skeleton
thans
--
In Debian Bug tracker #262453, Christian Perrier (bubulle) wrote : Closing rhetorical bug | #33 |
This bug report has been definitely cataloggued as purely
rethrical...Hence closing it as nothing with much added value has been
added since about 6 months. There's no point in keeping useless bug
reports opened.
--
Daniel Robitaille (robitaille) wrote : | #34 |
Was closed in Debian in Feb 2006.
Changed in shadow: | |
status: | Unconfirmed → Rejected |
merge 262453 262455