martin carpenter

contents

contact
blog
2022/01/31
determining password dump origin using n-grams
2015/07/01
escape from ansible
2015/06/24
solaris elfsign vulnerability
2014/10/22
metasploiting nrpe
2014/01/24
readable setuid cores in desktop ubuntu
2014/01/20
enlightenment sysactions vulnerability
most popular
2013/10/22
extracting openssl private keys from core dumps
2013/03/25
john the ripper, cuda, ubuntu
2012/05/05, updated 2012/12/15
ubuntu unity lens for vim
2010/03/11
twofish.rb: pure ruby twofish gem
2010/04/14
ckwtmpx

tty hijacking via tiocsti

2011/06/28

tags: solaris ioctl(2) TIOCSTI vulnerability

I have been following recent discussion on the oss-security mailing list regarding TTY hijacking via TIOCSTI ioctl at http://seclists.org/oss-sec/2011/q2/526.

This references the following bug reports:

The perl script from the debian report won't run with stock Solaris perl (cannot find sys/ioctl.ph), but this is trivial in C:

#include <unistd.h>
#include <stropts.h>
...
int insert_char_into_fd(int fd, char c) {
    return( -1 == ioctl(fd, TIOCSTI, &c) ? 0 : 1 );
}

Both Solaris 10 su(1M) and pfexec(1) are vulnerable to this problem but Oracle have marked this WONTFIX (at least for pfexec(1)) since (paraphrasing) "nobody uses pfexec to run with reduced privileges".