Plash TTY ioctl() Character Injection

2007-03-01T02:34:57
ID OSVDB:32598
Type osvdb
Reporter Mark Seaborn()
Modified 2007-03-01T02:34:57

Description

Vulnerability Description

It is possible for a sandboxed process to put characters into the input stream of the terminal using the TIOCSTI ioctl() on the tty's file descriptor. This data may be interpreted by a shell running on the terminal, allowing the sandboxed process to run code with the full authority of the user.

Solution Description

Upgrade to version 1.18 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): Granting access to /dev/tty (this includes not using the -B option to pola-run), and by proxying access to stdin/stdout/stderr by piping them through cat "cat | pola-run ... 2>&1 | cat"

Another option would be eg. to implement PTraceJail this would allow to block ioctl() calls

Short Description

It is possible for a sandboxed process to put characters into the input stream of the terminal using the TIOCSTI ioctl() on the tty's file descriptor. This data may be interpreted by a shell running on the terminal, allowing the sandboxed process to run code with the full authority of the user.

References:

Vendor URL: http://plash.beasts.org/ Secunia Advisory ID:24498 Other Advisory URL: http://plash.beasts.org/wiki/PlashIssues/TtyVulnerability Mail List Post: http://lists.gnu.org/archive/html/plash/2007-03/msg00000.html FrSIRT Advisory: ADV-2007-0909 CVE-2007-1400 Bugtraq ID: 22892