Date: Fri, 10 Jun 2011 11:55:11 +0200 From: Ludwig Nussel <ludwig.nussel@...e.de> To: oss-security@...ts.openwall.com Subject: Re: CVE request -- coreutils -- tty hijacking possible in "su" via TIOCSTI ioctl Jan Lieskovsky wrote: > Hello Josh, Steve, vendors, > > based on Debian BTS report: >  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628843 > (first CVE-2011-XXYY required for Debian case) > > looked more into original report: >  https://bugzilla.redhat.com/show_bug.cgi?id=173008 > > and the first paragraph of  suggests: > "When starting a program via "su - user -c program" the user session > can escape to the parent session by using the TIOCSTI ioctl to push > characters into the input buffer. This allows for example a non-root > session to push "chmod 666 /etc/shadow" or similarly bad commands into > the input buffer such that after the end of the session they are > executed." The issue also reminds me that there are several su implemenations. On Fedora and SUSE we have a patched coreutils version, Debian uses the one from shadow-utils and then there's also a su from SimplePAMApps, used by e.g. Owl. Of course each one has it's own quirks and weird features. Does anyone still remember why a particular implementation was chosen? :-) cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ