Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 16 Jan 2024 22:12:57 +0100
From: Jakub Wilk <jwilk@...lk.net>
To: <oss-security@...ts.openwall.com>
Subject: Re: TTY pushback vulnerabilities / TIOCSTI

* Jakub Wilk <jwilk@...lk.net>, 2024-01-08 06:52:
>* Hanno Böck <hanno@...eck.de>, 2023-03-24 19:56:
>>Here's a proposed patch to restrict access to the dangerous 
>>functionality.
>
>This patch has been included in Linux v6.7:
>https://git.kernel.org/linus/8d1b43f6a6df7bcea20982ad376a000d90906b42

Incidentally the patch fixes another minor vulnerability:

TIOCL_SETSEL selects text on the active vt, even when the fd you ran 
ioctl on refers to a different vt. Since switching virtual terminals 
doesn't require extra privileges, if /dev/ttyN is your controlling 
terminal, you can select text from any otherwise inaccessible vt, and 
then paste it into your own program.

Proof of concept (using minittyjack from my earlier posting[0]):

    n=$(fgconsole) m=$((n+1)) && chvt $m && minittyjack && chvt $n && cat

A more elaborate exploit is available here:
https://github.com/jwilk/vcsnoop


[0] https://www.openwall.com/lists/oss-security/2023/03/14/3/1

-- 
Jakub Wilk

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.