oss-security June 2011 archive
Main Archive Page > Month Archives  > oss-security archives
oss-security: Re: [oss-security] CVE request -- coreutils -- tty

Re: [oss-security] CVE request -- coreutils -- tty hijacking possible in "su" via TIOCSTI ioctl

From: Ludwig Nussel <ludwig.nussel_at_nospam>
Date: Fri Jun 10 2011 - 09:55:11 GMT
To: oss-security@lists.openwall.com

Jan Lieskovsky wrote:
> Hello Josh, Steve, vendors,
>
> based on Debian BTS report:
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628843
> (first CVE-2011-XXYY required for Debian case)
>
> looked more into original report:
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=173008
>
> and the first paragraph of [2] suggests:
> "When starting a program via "su - user -c program" the user session
> can escape to the parent session by using the TIOCSTI ioctl to push
> characters into the input buffer. This allows for example a non-root
> session to push "chmod 666 /etc/shadow" or similarly bad commands into
> the input buffer such that after the end of the session they are
> executed."

The issue also reminds me that there are several su implemenations.
On Fedora and SUSE we have a patched coreutils version, Debian uses
the one from shadow-utils and then there's also a su from
SimplePAMApps, used by e.g. Owl. Of course each one has it's own
quirks and weird features. Does anyone still remember why a
particular implementation was chosen? :-)

cu
Ludwig

-- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)