diff options
| author | Stanislav Brabec | 2016-03-02 20:35:54 +0100 |
|---|---|---|
| committer | Karel Zak | 2016-09-29 14:24:00 +0200 |
| commit | a0a8e9884443601abf9f06b715f2f6bb0820cbad (patch) | |
| tree | 8e518a607b1613a372df472daecbe911195c6d35 /tests/helpers | |
| parent | libmount: paranoid change in mnt_table_is_fs_mounted() (diff) | |
| download | kernel-qcow2-util-linux-a0a8e9884443601abf9f06b715f2f6bb0820cbad.tar.gz kernel-qcow2-util-linux-a0a8e9884443601abf9f06b715f2f6bb0820cbad.tar.xz kernel-qcow2-util-linux-a0a8e9884443601abf9f06b715f2f6bb0820cbad.zip | |
tests: Add helper for TIOCSTI exploit
This helper/exploit injects "id -u -n\n" to the vulnerable calling terminal.
Use id -u -n to get a reproducible output of test cases based on it.
What can happen:
Nothing, no exploit: pty is not accessible, sedsid() disconnected the task from
pty, TIOCSTI failed.
The command is injected to the unprivileged environment pty, and you see e. g.
"nobody": This is acceptable.
The command is injected to the caller (privileged) pty, and you see "root" (or
caller uid name): This is not acceptable and has security implications.
References:
CVE-2016-2779
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2779
http://seclists.org/oss-sec/2016/q1/448
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815922
https://bugzilla.redhat.com/show_bug.cgi?id=173008
https://bugzilla.suse.com/show_bug.cgi?id=968674
https://bugzilla.suse.com/show_bug.cgi?id=968675
CVE-2016-2781
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2781
http://seclists.org/oss-sec/2016/q1/452
Signed-off-by: Stanislav Brabec <sbrabec@suse.cz>
Cc: Federico Bento <up201407890@alunos.dcc.fc.up.pt>
Diffstat (limited to 'tests/helpers')
| -rw-r--r-- | tests/helpers/Makemodule.am | 3 | ||||
| -rw-r--r-- | tests/helpers/test_tiocsti.c | 27 |
2 files changed, 30 insertions, 0 deletions
diff --git a/tests/helpers/Makemodule.am b/tests/helpers/Makemodule.am index 0618e7578..3070a8bbc 100644 --- a/tests/helpers/Makemodule.am +++ b/tests/helpers/Makemodule.am @@ -15,3 +15,6 @@ check_PROGRAMS += test_sigreceive test_sigreceive_SOURCES = tests/helpers/test_sigreceive.c test_sigreceive_LDADD = $(LDADD) libcommon.la +check_PROGRAMS += test_tiocsti +test_tiocsti_SOURCES = tests/helpers/test_tiocsti.c + diff --git a/tests/helpers/test_tiocsti.c b/tests/helpers/test_tiocsti.c new file mode 100644 index 000000000..c269dc037 --- /dev/null +++ b/tests/helpers/test_tiocsti.c @@ -0,0 +1,27 @@ +/* + * test_tiocsti - test security of TIOCSTI + * + * Written by Federico Bento <up201407890@alunos.dcc.fc.up.pt> + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation. + * + * This program is distributed in the hope that it would be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#include <sys/ioctl.h> + +int main(void) +{ + char *cmd = "id -u -n\n"; + while(*cmd) + ioctl(0, TIOCSTI, cmd++); +} |