Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 3 Sep 2015 03:19:31 +0200
From: Jann Horn <jann@...jh.net>
To: oss-security@...ts.openwall.com
Subject: OpenSSH: CVE-2015-6565 (pty issue in 6.8-6.9) can lead to local
 privesc on Linux

OpenSSH 6.8-6.9 chmod()ed the connection's PTY slave to mode 0622
(world-writable). This issue was discovered by Nikolay Edigaryev, fixed in
OpenSSH 7.0 and assigned CVE-2015-6565.

On Linux, the impact of this issue is higher because a local attacker can
carry out the following attack:

After the PTY has been unlocked and the slave has been chmod()ed, but before
the ssh server's child has made the PTY slave its controlling terminal, the
attacker opens the slave device with open(..., O_WRONLY). (This is pretty easy
to do, just open() the device in a loop until it works and hope that you were
the first one.) The Linux kernel will then make the PTY slave the controlling
terminal of the attacker's process. (The slave will therefore not become the
controlling terminal of sshd's child, but that's not a problem for the
attacker.) The victim's shell opens normally, but the attacker can now
perform ioctls on the slave that require having the PTY slave as controlling
terminal, most importantly TIOCSTI (pushback). Using this ioctl, the attacker
can write arbitrary commands into the victim user's terminal - not as output
to the user, but as input into the terminal that is delivered to the user's
shell - and thereby obtain code execution as the targeted user.

This attack was successfully tested against OpenSSH 6.9p1 compiled from source
on a Fedora box.

For a bit more about TIOCSTI, see
<http://www.halfdog.net/Security/2012/TtyPushbackPrivilegeEscalation/>.

The trivial attack makes it obvious to the victim that something's going on,
but it's not hard to make the entered command and the shell's new prompt
invisible.

A kernel patch that tightens the rules for opening a TTY as controlling
terminal is probably going to land soon.


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.