| Summary: | TTY injection using TIOCSTI | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | Wout Decré <wout> | ||||||
| Component: | kern | Assignee: | freebsd-bugs (Nobody) <bugs> | ||||||
| Status: | New --- | ||||||||
| Severity: | Affects Many People | ||||||||
| Priority: | --- | ||||||||
| Version: | 16.0-CURRENT | ||||||||
| Hardware: | Any | ||||||||
| OS: | Any | ||||||||
| Attachments: |
|
||||||||
Created attachment 268566 [details]
Example to inject strings using TIOCSTI
|
Created attachment 268398 [details] Example to add tunable sysctl option to allow or deny TIOCSTI On FreeBSD it is possible to do TTY injection using TIOCSTI when using tools like su(1) and jexec(8). FreeBSD removed support for TIOCSTI briefly but added again in 328d9d2c96e2349acbc2da4efc5ad34d68a47df6. The author thinks this is conceptually bad but is needed for tools like mail(1). There may be other tools and shells that depend on it too. OpenBSD completely removed support for TIOCSTI in 2017. HardenedBSD has a toggle to disable TIOCSTI. The toggle is set to prohibit TIOCSTI by default. I want to propose adding a tunable sysctl(8) option which allows or denies TIOCSTI. A proof of concept is attached. Before the patch, when using jexec(8) to run a jailed command as a normal user, it is possible to inject a command which then runs as the root user on the host: # jexec -U wout 3 /home/wout/inject whoami whoami # whoami root When I enable the new tunable, this is not permitted: # sysctl security.bsd.allow_tiocsti=0 security.bsd.allow_tiocsti: 1 -> 0 # jexec -U wout 3 /home/wout/inject whoami ioctl TIOCSTI failed: Operation not permitted This might be a good candidate to add to usr.sbin/bsdinstall/scripts/hardening as well.