Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document the privilege-escalation vulnerability in pleaser. #1798

Merged
merged 4 commits into from
Oct 3, 2023
Merged

Document the privilege-escalation vulnerability in pleaser. #1798

merged 4 commits into from
Oct 3, 2023

Conversation

alexanderkjall
Copy link
Contributor

Note that the reproducer doesn't work out of the box on a modern kernel, as the ioctl TIOCSTI is disabled by default nowadays.

@alexanderkjall
Document the privilege-escalation vulnerability in pleaser. Note that…
26fb7aa 
… the reproducer doesn't work out of the box on a modern kernel, as the ioctl TIOCSTI is disabled by default nowadays
@Shnatsel
Copy link
Member

Shnatsel commented Oct 2, 2023

Thank you for the report!

This is clearly a security issue with a published PoC that has not been addressed for 5 months, so I am going to merge this directly and notify the upstream issue after the fact.

Could you also add a note that many modern Linux distributions disable that IOCTL, and a way to test if your system is vulnerable? That would make the advisory more actionable.

I believe simply running sysctl dev.tty.legacy_tiocsti should show it, and if set to 1 it would be exploitable. Could you confirm that this command outputs 0 on the systems that are not affected?

@alexanderkjall
Copy link
Contributor Author

I added a section on how to check if TIOCSTI is disabled, but I don't know if that also affects TIOCLINUX (and the poc doesn't use that, so hard to test without building a new poc)

@Shnatsel
Copy link
Member

Shnatsel commented Oct 3, 2023

Ah, good point about TIOCLINUX!

If the steps only cover part of the attack surface, it is best to leave them out. No reason to give a false sense of security when TIOCSTI is disabled but TIOCLINUX is not.

@Shnatsel Shnatsel merged commit 59c41cb into rustsec:main Oct 3, 2023
1 check passed
@alexanderkjall alexanderkjall deleted the document-pleaser-TIOCSTI-vulnerability branch October 3, 2023 14:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@BlackHoleFox BlackHoleFox BlackHoleFox left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@alexanderkjall @Shnatsel @BlackHoleFox