martin carpenter

contents

most popular
2012/05/05, updated 2012/12/15
Ubuntu unity lens for vim
2010/04/14
ckwtmpx

tty hijacking via tiocsti

2011/06/28

tags: solaris ioctl(2) TIOCSTI vulnerability

I have been following recent discussion on the oss-security mailing list regarding TTY hijacking via TIOCSTI ioctl at http://seclists.org/oss-sec/2011/q2/526.

This references the following bug reports:

The perl script from the debian report won't run with stock Solaris perl (cannot find sys/ioctl.ph), but this is trivial in C:

#include <unistd.h>
#include <stropts.h>
...
int insert_char_into_fd(int fd, char c) {
    return( -1 == ioctl(fd, TIOCSTI, &c) ? 0 : 1 );
}

Both Solaris 10 su(1M) and pfexec(1) are vulnerable to this problem but Oracle have marked this WONTFIX (at least for pfexec(1)) since (paraphrasing) "nobody uses pfexec to run with reduced privileges".