Background reading: https://ruderich.org/simon/notes/su-sudo-from-root-tty-hijacking
Executing the exploit in that page within an iocage console shell results in command execution in the host's shell, which is usually running as root to use iocage.
I have (re)started discussions to block or remove this IOCTL altogether in FreeBSD like other OSes did but it is most likely going to take some time. So in the meantime, why not go forward and protect our users from it ourselves?
I am testing something using python's pty module to run the shell in a new pseudo-terminal instead of the original one. It works but still needs some testing and bits of code to address situations that need environment variables (e.g. when InteractiveExec is used to run freebsd-update which might need HTTP_PROXY).
I'll try to submit a PR next week.
Background reading: https://ruderich.org/simon/notes/su-sudo-from-root-tty-hijacking
Executing the exploit in that page within an
iocage consoleshell results in command execution in the host's shell, which is usually running asrootto useiocage.I have (re)started discussions to block or remove this IOCTL altogether in FreeBSD like other OSes did but it is most likely going to take some time. So in the meantime, why not go forward and protect our users from it ourselves?
I am testing something using python's
ptymodule to run the shell in a new pseudo-terminal instead of the original one. It works but still needs some testing and bits of code to address situations that need environment variables (e.g. whenInteractiveExecis used to runfreebsd-updatewhich might needHTTP_PROXY).I'll try to submit a PR next week.