Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: 
 <DS7PR10MB5358E5511783501575C5C133FDBF9@DS7PR10MB5358.namprd10.prod.outlook.com>
Date: Wed, 15 Mar 2023 09:26:24 +0000
From: Casper Dik <casper.dik@...cle.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Re: TTY pushback vulnerabilities / TIOCSTI

>On Wed, 15 Mar 2023, Fabian Keil wrote:

>> In ElectroBSD I removed TIOCSTI support in 2017 [0] and haven't noticed
>> any problems.

>I hate tossing out functionality; would you not make it a privileged
>operation instead?

>-- Dave


I think it makes it mostly useless.

In Solaris we've changed how TIOCSTI works; when a process reads the
packet with the stuffed input, it then checks the credential of the
sender.   So while the stuffed input is still echoed but ignored:

# su nobody -c tiocsti
exit
echo Payload as `whoami`
#

But when having root calling tciosti, you get:

# su root -c tiocsti
exit
echo Payload as `whoami`
# exit
Payload as root

(The exit here is not needed)

Casper

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.