https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=293485
Bug ID: 293485
Summary: TTY injection using TIOCSTI
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: kern
Assignee: [email protected]
Reporter: [email protected]
Created attachment 268398
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=268398&action=edit
Example to add tunable sysctl option to allow or deny TIOCSTI
On FreeBSD it is possible to do TTY injection using TIOCSTI when using tools
like su(1) and jexec(8).
FreeBSD removed support for TIOCSTI briefly but added again in
328d9d2c96e2349acbc2da4efc5ad34d68a47df6.
The author thinks this is conceptually bad but is needed for tools like
mail(1). There may be other tools and shells that depend on it too.
OpenBSD completely removed support for TIOCSTI in 2017.
HardenedBSD has a toggle to disable TIOCSTI. The toggle is set to prohibit
TIOCSTI by default.
I want to propose adding a tunable sysctl(8) option which allows or denies
TIOCSTI. A proof of concept is attached.
Before the patch, when using jexec(8) to run a jailed command as a normal user,
it is possible to inject a command which then runs as the root user on the
host:
# jexec -U wout 3 /home/wout/inject whoami
whoami
# whoami
root
When I enable the new tunable, this is not permitted:
# sysctl security.bsd.allow_tiocsti=0
security.bsd.allow_tiocsti: 1 -> 0
# jexec -U wout 3 /home/wout/inject whoami
ioctl TIOCSTI failed: Operation not permitted
This might be a good candidate to add to usr.sbin/bsdinstall/scripts/hardening
as well.
--
You are receiving this mail because:
You are the assignee for the bug.
