oss-sec mailing list archives

Re: Re: CVE Request: util-linux runuser tty hijacking via TIOCSTI ioctl

From: "Alexander E. Patrakov" <patrakov () gmail com>
Date: Sun, 28 Feb 2016 17:14:09 +0500

27.02.2016 18:44, cve-assign () mitre org пишет:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

When executing a program via "runuser -u nonpriv program" the
nonpriv session can
escape to the parent session by using the TIOCSTI ioctl to push
characters into the
terminal's input buffer

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815922


Use CVE-2016-2779.


One more case:

chroot --userspec=someuser:somegroup / /path/to/test

This also runs "id" at the end.

--
Alexander E. Patrakov

Current thread:

CVE Request: util-linux runuser tty hijacking via TIOCSTI ioctl up201407890 (Feb 26)
- Re: CVE Request: util-linux runuser tty hijacking via TIOCSTI ioctl cve-assign (Feb 27)
  - Re: Re: CVE Request: util-linux runuser tty hijacking via TIOCSTI ioctl Alexander E. Patrakov (Feb 28)
    - Re: CVE Request: util-linux runuser tty hijacking via TIOCSTI ioctl -- chroot cve-assign (Feb 28)