GNU Coreutils 'su - user -c program' Local Privilege Escalation Vulnerability

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1208675 漏洞类型 Design Error
发布时间 2005-11-12 更新时间 2005-11-12
CVE编号 CVE-2005-4890 CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
A recent use-case on Slackware made me re-visit CVE-2005-4890
in the context of "su -c". Particularly, shadow's implementation
as of shadow 4.1.5.

During the discussions of this CVE (see footer links), it was
pointed out shadow's fix is partial given interactive su remains
vulnerable to tty-hijacking. It was also mentioned this vector
is less worrisome given use cases for interactive su are primarily
privilege escalation.

The CVE was always a bit controversial with many believing
using su and sudo to drop privileges is unsafe and more an
administration issue than a design flaw.

All that said, at the very least would it be reasonable to
apply the same threat-assessment criterion to the crippling
of "su -c" and not drop the controlling tty for the case when
the callee is root?

Slackware doesn't use PAM so the fix in shadow relies on a
TIOCNOTTY ioctl() request and not a setsid() call. One result
of this change is summarized in the table below:


1. As unpriv user user1:
xterm -e su -c $COMM          SUCCESS    FAIL     SUCCESS
xterm -e su user2 -c $COMM    SUCCESS    FAIL     FAIL

2. As root:
xterm -e su user1 -c $COMM    SUCCESS    FAIL     FAIL

* See attached



GNU Coreutils 5.2.1 GNU Coreutils 5.2 GNU Coreutils 5.1.3 GNU Coreutils 5.1.2 GNU Coreutils 5.1.1 GNU Coreutils 5.1 GNU Coreutils 5.0.91