Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <07bec2b1-c945-fc6e-0238-28acb21b5cfb@nmatt.com>
Date: Wed, 26 Apr 2017 10:21:36 -0400
From: Matt Brown <matt@...tt.com>
To: One Thousand Gnomes <gnomes@...rguk.ukuu.org.uk>,
 Jann Horn <jannh@...gle.com>
Cc: serge@...lyn.com, jmorris@...ei.org,
 Greg Kroah-Hartman <gregkh@...uxfoundation.org>, jslaby@...e.com,
 Jonathan Corbet <corbet@....net>, Kees Cook <keescook@...omium.org>,
 Andrew Morton <akpm@...ux-foundation.org>,
 kernel-hardening@...ts.openwall.com, linux-security-module@...r.kernel.org,
 linux-kernel@...r.kernel.org, linux-doc@...r.kernel.org
Subject: Re: [PATCH v5 0/2] security: tty: make TIOCSTI ioctl require
 CAP_SYS_ADMIN

On 04/26/2017 08:47 AM, One Thousand Gnomes wrote:
>> open() what? As far as I know, for System-V PTYs, there is no path you can
>> open() that will give you the PTY master. Am I missing something?
>
> Sorry brain fade - no.
>>
>>>>> If I want to do the equvalent of the TIOCSTI attack then I fork a process
>>>>> and exit the parent. The child can now use ptrace to reprogram your shell
>>>>> to do whatever interesting things it likes (eg running child processes
>>>>> called "su" via a second pty/tty pair). Not exactly rocket science.
>>>>
>>>> Why would the child be able to ptrace the shell? AFAICS, in the most
>>>> relevant scenarios, the child can't ptrace the shell because the
>>>> shell has a different UID (in the case of e.g. su or sudo). In other
>>>
>>> If I am the attacker wanting to type something into your su when you go
>>> and su from my account, or where the user account is trojanned I do the
>>> following
>>>
>>> fork
>>> exit parent
>>> child ptraces the shell (same uid as it's not setuid)
>>>
>>> You type "su" return
>>> The modified shell opens a new pty/tty pair and runs su over it
>>> My ptrace hooks watch the pty/tty traffic until you go to the loo
>>> My ptrace hooks switch the console
>>> My ptrace hooks type lots of stuff and hack your machine while eating the
>>> output
>>>
>>> and you come back, do stuff and then exit
>>>
>>> And if you are in X it's even easier and I don't even need to care about
>>> sessions or anything. X has no mechanism to sanely fix the problem, but
>>> Wayland does.
>>
>> I think the "When using a program like su or sudo" in the patch description
>> refers to the usecase where you go from a more privileged context (e.g. a
>> root shell) to a less privileged one (e.g. a shell as a service-specific
>> account used to run a daemon), not the other way around.
>
> Which is the sudo case and why sudo uses a separate pty/tty pair as it's
> not just TIOCSTI that's an issue but there are a load of ioctls that do
> things like cause signals to the process or are just annoying -
> vhangup(), changing the speed etc
>
> (And for console changing the keymap - which is a nasty one)
>

Are any of these annoyances potential security issues? I would be happy
to add patches or modify this one to include extra hardening measures.

>> [However, I do think that it's a nice side effect of this patch that it will
>> prevent a malicious program from directly injecting something like an
>> SSH command into my shell in a sufficiently hardened environment
>> (with LSM restrictions that prevent the malicious program from opening
>> SSH keyfiles or executing another program that can do that). Although
>> you could argue that in such a case, the LSM should be taking care of
>> blocking TIOCSTI.]
>
> I would submit that creating a new pty/tty pair is the proper answer for
> that case however. Making the tty calls respect namespaces is however
> still a no-brainer IMHO.
>
> Alan
>

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.