From a0a8e9884443601abf9f06b715f2f6bb0820cbad Mon Sep 17 00:00:00 2001
From: Stanislav Brabec
Date: Wed, 2 Mar 2016 20:35:54 +0100
Subject: tests: Add helper for TIOCSTI exploit

This helper/exploit injects "id -u -n\n" to the vulnerable calling terminal.

Use id -u -n to get a reproducible output of test cases based on it.

What can happen:

Nothing, no exploit: pty is not accessible, sedsid() disconnected the task from
pty, TIOCSTI failed.

The command is injected to the unprivileged environment pty, and you see e. g.
"nobody": This is acceptable.

The command is injected to the caller (privileged) pty, and you see "root" (or
caller uid name): This is not acceptable and has security implications.

References:

CVE-2016-2779
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2779
http://seclists.org/oss-sec/2016/q1/448
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815922
https://bugzilla.redhat.com/show_bug.cgi?id=173008
https://bugzilla.suse.com/show_bug.cgi?id=968674
https://bugzilla.suse.com/show_bug.cgi?id=968675

CVE-2016-2781
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2781
http://seclists.org/oss-sec/2016/q1/452

Signed-off-by: Stanislav Brabec <sbrabec@suse.cz>
Cc: Federico Bento <up201407890@alunos.dcc.fc.up.pt>
---
 tests/commands.sh | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'tests/commands.sh')

diff --git a/tests/commands.sh b/tests/commands.sh
index b20e6f587..e0a9b0d13 100644
--- a/tests/commands.sh
+++ b/tests/commands.sh
@@ -32,6 +32,7 @@ TS_HELPER_SCRIPT="$top_builddir/test_script"
 TS_HELPER_SIGRECEIVE="$top_builddir/test_sigreceive"
 TS_HELPER_STRUTILS="$top_builddir/test_strutils"
 TS_HELPER_SYSINFO="$top_builddir/test_sysinfo"
+TS_HELPER_TIOCSTI="$top_builddir/test_tiocsti"
 TS_HELPER_UUID_PARSER="$top_builddir/test_uuid_parser"
 
 # paths to commands
@@ -75,6 +76,7 @@ TS_CMD_MOUNTPOINT=${TS_CMD_MOUNTPOINT:-"$top_builddir/mountpoint"}
 TS_CMD_NAMEI=${TS_CMD_NAMEI-"$top_builddir/namei"}
 TS_CMD_PARTX=${TS_CMD_PARTX-"$top_builddir/partx"}
 TS_CMD_RENAME=${TS_CMD_RENAME-"$top_builddir/rename"}
+TS_CMD_RUNUSER=${TS_CMD_RUNUSER-"$top_builddir/runuser"}
 TS_CMD_REV=${TS_CMD_REV:-"$top_builddir/rev"}
 TS_CMD_SCRIPT=${TS_CMD_SCRIPT-"$top_builddir/script"}
 TS_CMD_SCRIPTREPLAY=${TS_CMD_SCRIPTREPLAY-"$top_builddir/scriptreplay"}
-- 
cgit v1.2.3-55-g7522