[Plash] TTY ioctl() vulnerability

plash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Plash] TTY ioctl() vulnerability

From:	Mark Seaborn
Subject:	[Plash] TTY ioctl() vulnerability
Date:	Thu, 01 Mar 2007 23:33:47 +0000 (GMT)

I have discovered a vulnerability in Plash: It is possible for a
sandboxed process to insert characters into the input stream of the
terminal using the TIOCSTI ioctl() on the terminal file descriptor.
If the user's shell runs on the same terminal, this provides a way for
the sandboxed process to execute commands with the full authority of
the user.

See http://plash.beasts.org/wiki/PlashIssues/TtyVulnerability

Also see this bug report for a related problem in Apache:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=357561

I think the immediate way to fix this is to proxy access to the
terminal, and deny the ability to open /dev/tty.  The simplest
implementation could hand the sandboxed process a socket FD or a pair
of pipe FDs rather than a pty FD.

Mark

[Prev in Thread]

Current Thread

[Next in Thread]

[Plash] TTY ioctl() vulnerability, Mark Seaborn <=

Next by Date: [Plash] Packaging system (was: Plash Wiki)
Next by thread: [Plash] Packaging system (was: Plash Wiki)
Index(es):
- Date
- Thread