Home page logo

oss-sec logo oss-sec mailing list archives

tty-hijacking & CVE-2005-4890 - redux
From: "mancha" <mancha1 () hush com>
Date: Mon, 20 May 2013 17:43:40 +0000


A recent use-case on Slackware made me re-visit CVE-2005-4890
in the context of "su -c". Particularly, shadow's implementation
as of shadow 4.1.5.

During the discussions of this CVE (see footer links), it was
pointed out shadow's fix is partial given interactive su remains
vulnerable to tty-hijacking. It was also mentioned this vector
is less worrisome given use cases for interactive su are primarily
privilege escalation.

The CVE was always a bit controversial with many believing
using su and sudo to drop privileges is unsafe and more an
administration issue than a design flaw.

All that said, at the very least would it be reasonable to
apply the same threat-assessment criterion to the crippling
of "su -c" and not drop the controlling tty for the case when
the callee is root?

Slackware doesn't use PAM so the fix in shadow relies on a
TIOCNOTTY ioctl() request and not a setsid() call. One result
of this change is summarized in the table below:


1. As unpriv user user1:
xterm -e su -c $COMM          SUCCESS    FAIL     SUCCESS
xterm -e su user2 -c $COMM    SUCCESS    FAIL     FAIL

2. As root:
xterm -e su user1 -c $COMM    SUCCESS    FAIL     FAIL

* See attached




[1] http://thread.gmane.org/gmane.comp.security.oss.general/5172
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628843

Attachment: shadow-

  By Date           By Thread  

Current thread:
  • tty-hijacking & CVE-2005-4890 - redux mancha (May 20)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]