|
Message-ID: <20240116211257.kq5fubdztdk7d5dr@jwilk.net> Date: Tue, 16 Jan 2024 22:12:57 +0100 From: Jakub Wilk <jwilk@...lk.net> To: <oss-security@...ts.openwall.com> Subject: Re: TTY pushback vulnerabilities / TIOCSTI * Jakub Wilk <jwilk@...lk.net>, 2024-01-08 06:52: >* Hanno Böck <hanno@...eck.de>, 2023-03-24 19:56: >>Here's a proposed patch to restrict access to the dangerous >>functionality. > >This patch has been included in Linux v6.7: >https://git.kernel.org/linus/8d1b43f6a6df7bcea20982ad376a000d90906b42 Incidentally the patch fixes another minor vulnerability: TIOCL_SETSEL selects text on the active vt, even when the fd you ran ioctl on refers to a different vt. Since switching virtual terminals doesn't require extra privileges, if /dev/ttyN is your controlling terminal, you can select text from any otherwise inaccessible vt, and then paste it into your own program. Proof of concept (using minittyjack from my earlier posting[0]): n=$(fgconsole) m=$((n+1)) && chvt $m && minittyjack && chvt $n && cat A more elaborate exploit is available here: https://github.com/jwilk/vcsnoop [0] https://www.openwall.com/lists/oss-security/2023/03/14/3/1 -- Jakub Wilk
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.