git.ipfire.org Git - thirdparty/util-linux.git/commit

author	Stanislav Brabec <sbrabec@suse.cz>
	Wed, 2 Mar 2016 19:35:54 +0000 (20:35 +0100)
committer	Karel Zak <kzak@redhat.com>
	Thu, 29 Sep 2016 12:24:00 +0000 (14:24 +0200)
commit	a0a8e9884443601abf9f06b715f2f6bb0820cbad
tree	8e518a607b1613a372df472daecbe911195c6d35	tree \| snapshot
parent	3e44e75dae38cce3423cf5270c5edfd1079ca438	commit \| diff

tests: Add helper for TIOCSTI exploit

This helper/exploit injects "id -u -n\n" to the vulnerable calling terminal.

Use id -u -n to get a reproducible output of test cases based on it.

What can happen:

Nothing, no exploit: pty is not accessible, sedsid() disconnected the task from
pty, TIOCSTI failed.

The command is injected to the unprivileged environment pty, and you see e. g.
"nobody": This is acceptable.

The command is injected to the caller (privileged) pty, and you see "root" (or
caller uid name): This is not acceptable and has security implications.

References:

CVE-2016-2779
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2779
http://seclists.org/oss-sec/2016/q1/448
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815922
https://bugzilla.redhat.com/show_bug.cgi?id=173008
https://bugzilla.suse.com/show_bug.cgi?id=968674
https://bugzilla.suse.com/show_bug.cgi?id=968675

CVE-2016-2781
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2781
http://seclists.org/oss-sec/2016/q1/452

Signed-off-by: Stanislav Brabec <sbrabec@suse.cz>
Cc: Federico Bento <up201407890@alunos.dcc.fc.up.pt>

tests/commands.sh		diff \| blob \| blame \| history
tests/helpers/Makemodule.am		diff \| blob \| blame \| history
tests/helpers/test_tiocsti.c	[new file with mode: 0644]	blob