martin carpenter


most popular
2012/05/05, updated 2012/12/15
ubuntu unity lens for vim

tty hijacking via tiocsti


tags: solaris ioctl(2) TIOCSTI vulnerability

I have been following recent discussion on the oss-security mailing list regarding TTY hijacking via TIOCSTI ioctl at

This references the following bug reports:

The perl script from the debian report won't run with stock Solaris perl (cannot find sys/, but this is trivial in C:

#include <unistd.h>
#include <stropts.h>
int insert_char_into_fd(int fd, char c) {
    return( -1 == ioctl(fd, TIOCSTI, &c) ? 0 : 1 );

Both Solaris 10 su(1M) and pfexec(1) are vulnerable to this problem but Oracle have marked this WONTFIX (at least for pfexec(1)) since (paraphrasing) "nobody uses pfexec to run with reduced privileges".