It is possible for a sandboxed process to put characters into the input stream of the terminal using the TIOCSTI ioctl() on the tty's file descriptor. This data may be interpreted by a shell running on the terminal, allowing the sandboxed process to run code with the full authority of the user.
Classification
Location:
Local Access Required
Attack Type:
Authentication Management
Impact:
Loss of Confidentiality,
Loss of Integrity
Exploit:
Exploit Unknown
Solution
Upgrade to version 1.18 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): Granting access to /dev/tty (this includes not using the -B option to pola-run), and by proxying access to stdin/stdout/stderr by piping them through cat
"cat | pola-run ... 2>&1 | cat"
Another option would be eg. to implement PTraceJail this would allow to block ioctl() calls
This product uses the Daylife API but is not endorsed or certified by Daylife.
This section lists the latest news and blogs found via the daylife API (and for older items, the technorati API), which mention or otherwise discuss this vulnerability.
