From 049b26b22e197ba3be9c46e5c193032e01a4724a Mon Sep 17 00:00:00 2001 From: Matthias Gerstner Date: Mon, 12 May 2025 15:15:38 +0200 Subject: fix CVE-2025-46802: attacher.c - prevent temporary 0666 mode on PTYs This temporary chmod of the PTY to mode 0666 is most likely a remnant of past times, before the PTY file descriptor was passed to the target session via the UNIX domain socket. This chmod() causes a race condition during which any other user in the system can open the PTY for reading and writing, and thus allows PTY hijacking. Simply remove this logic completely. --- src/attacher.c | 27 --------------------------- src/screen.c | 19 ------------------- 2 files changed, 46 deletions(-) diff --git a/src/attacher.c b/src/attacher.c index c35ae7a..16b151e 100644 --- a/src/attacher.c +++ b/src/attacher.c @@ -73,7 +73,6 @@ extern int MasterPid, attach_fd; #ifdef MULTIUSER extern char *multi; extern int multiattach, multi_uid, own_uid; -extern int tty_mode, tty_oldmode; # ifndef USE_SETEUID static int multipipe[2]; # endif @@ -160,9 +159,6 @@ int how; if (pipe(multipipe)) Panic(errno, "pipe"); - if (chmod(attach_tty, 0666)) - Panic(errno, "chmod %s", attach_tty); - tty_oldmode = tty_mode; eff_uid = -1; /* make UserContext fork */ real_uid = multi_uid; if ((ret = UserContext()) <= 0) @@ -174,11 +170,6 @@ int how; Panic(errno, "UserContext"); close(multipipe[1]); read(multipipe[0], &dummy, 1); - if (tty_oldmode >= 0) - { - chmod(attach_tty, tty_oldmode); - tty_oldmode = -1; - } ret = UserStatus(); #ifdef LOCK if (ret == SIG_LOCK) @@ -224,9 +215,6 @@ int how; xseteuid(multi_uid); xseteuid(own_uid); #endif - if (chmod(attach_tty, 0666)) - Panic(errno, "chmod %s", attach_tty); - tty_oldmode = tty_mode; } # endif /* USE_SETEUID */ #endif /* MULTIUSER */ @@ -423,13 +411,6 @@ int how; ContinuePlease = 0; # ifndef USE_SETEUID close(multipipe[1]); -# else - xseteuid(own_uid); - if (tty_oldmode >= 0) - if (chmod(attach_tty, tty_oldmode)) - Panic(errno, "chmod %s", attach_tty); - tty_oldmode = -1; - xseteuid(real_uid); # endif } #endif @@ -505,14 +486,6 @@ AttacherFinit SIGDEFARG close(s); } } -#ifdef MULTIUSER - if (tty_oldmode >= 0) - { - if (setuid(own_uid)) - Panic(errno, "setuid"); - chmod(attach_tty, tty_oldmode); - } -#endif exit(0); SIGRETURN; } diff --git a/src/screen.c b/src/screen.c index 7653cd1..1a23e1a 100644 --- a/src/screen.c +++ b/src/screen.c @@ -230,8 +230,6 @@ char *multi_home; int multi_uid; int own_uid; int multiattach; -int tty_mode; -int tty_oldmode = -1; #endif char HostName[MAXSTR]; @@ -1009,9 +1007,6 @@ int main(int ac, char** av) /* ttyname implies isatty */ SetTtyname(true, &st); -#ifdef MULTIUSER - tty_mode = (int)st.st_mode & 0777; -#endif fl = fcntl(0, F_GETFL, 0); if (fl != -1 && (fl & (O_RDWR|O_RDONLY|O_WRONLY)) == O_RDWR) @@ -2170,20 +2165,6 @@ DEFINE_VARARGS_FN(Panic) if (D_userpid) Kill(D_userpid, SIG_BYE); } -#ifdef MULTIUSER - if (tty_oldmode >= 0) { - -# ifdef USE_SETEUID - if (setuid(own_uid)) - xseteuid(own_uid); /* may be a loop. sigh. */ -# else - setuid(own_uid); -# endif - - debug1("Panic: changing back modes from %s\n", attach_tty); - chmod(attach_tty, tty_oldmode); - } -#endif eexit(1); } -- cgit v1.1