TIOCSTI ☔ issue

[dvorka]

The deprecation of TIOCSTI in newer Linux kernels has not yet been sufficiently addressed.

---

The story of the deadly Swiss knife command

This is the story of ioctl - nicknamed Swiss army knife - and its deprecated TIOCSTI command.

• ABSTRACT
• PROBLEM STATEMENT
• SOLUTION
• ALTERNATIVE APPROACHES
• NEXT STEPS
• RESOURCES

ABSTRACT

TIOCSTI is an ioctl syscall command in the Linux kernel that allows a process to simulate terminal input by injecting characters into the input queue of a terminal device as if they were typed by a user. This feature has a long history and has been part of Unix-like systems for decades:

• ioctl() is the kernel system call for device-specific input/output operation which Linux inherited from Unix in early 1990s.
• The TIOCSTI - terminal I/O control, simulate terminal input - ioctl command can push a character into a device stream.
• The TIOCSTI ioctl was implemented in the Linux kernel's terminal driver subsystem, allowing processes with the appropriate permissions to inject characters into a terminal's input queue.
• This feature was/is useful for certain applications, such as terminal emulators or debugging tools, where simulating user input was necessary.
• Over time, TIOCSTI became a source of security concerns. Malicious programs could use it to inject commands into another user's terminal session, potentially leading to privilege escalation or other attacks.
• I use TIOCSTI in the HSTR project, where it inserts the user's past commands into the terminal.

TIOCSTI has been deprecated in Linux kernels >= 6.2.0.

The history of TIOCSTI in the Linux kernel reflects the evolution of Unix-like systems and the ongoing balance between functionality and security. While it remains a part of the kernel for legacy reasons, its use is heavily restricted to prevent abuse, and modern applications are encouraged to use safer alternatives.

Therefore HSTR needs to find a way how to work without TIOCSTI.

PROBLEM STATEMENT

Over time, TIOCSTI became a source of security concerns:

• Malicious programs could use it to inject commands into another user's terminal session, potentially leading to privilege escalation or other attacks.

• Despite various mitigations, TIOCSTI remains a potential attack vector, and its use is generally discouraged in modern applications.

Examples of attack vectors:

• Privilege escalation: If a user ran a program with elevated privileges (e.g., via sudo), a malicious process could use TIOCSTI to inject commands into the terminal, effectively executing them with elevated privileges.
• Session hijacking: An attacker can use TIOCSTI to inject commands into another user's terminal session, especially if the attacker has access to the same terminal device (e.g., /dev/pts/X).
• Bypassing input sanitization: If a process relies on terminal input for sensitive operations (e.g., password prompts), TIOCSTI can be used to inject malicious input that bypasses expected sanitization or validation.
• Exploiting misconfigured permissions: If a terminal device has overly permissive access controls (e.g., world-writable permissions), any user on the system can use TIOCSTI to inject commands into that terminal.
• Injection commands into background shells: If a user backgrounds a shell (e.g., using Ctrl+Z), an attacker can use TIOCSTI to inject commands into the backgrounded shell, which will execute when the shell is brought back to the foreground.

Mitigation to address these security issues:

• The CAP_SYS_ADMIN capability was required to use TIOCSTI on terminals not owned by the calling process.

  • What is it?

• Some distributions and kernel configurations further restricted or disabled TIOCSTI to prevent abuse.

• TIOCSTI is still present in the Linux kernel for backward compatibility, but its use is limited and often restricted.

• Linux kernel >= 6.2.0 disabled TIOCSTI by default in several distributions.

The problem for useful applications - like HSTR - is how to implement the capability of inserting commands to the terminal input without TIOCSTI.

SOLUTION

readline based solution :

• Configuration:
  • TIOCSTI detection - can or cannot be used?
• Runtime:
  • simulation of the terminal input by injecting characters into the input queue of a terminal device without TIOCSTI by writing to /dev/tty device

Well what is this beauty?

• bash - function hstrnoticsti:

  • hstr/src/hstr.c

    Line 347 in 59f1b0d

    void print_bash_install_code(void)

• zsh - function hstr_no_tiocsti:

  • hstr/src/hstr.c

    Line 386 in 59f1b0d

    void print_zsh_install_code(void)

Pros:

• Safe solution without TIOCSTI.

Cons:

• User must configure HSTR, which might be show stopper in comparison to "no config needed" past.

ALTERNATIVE APPROACHES

There are several alternative approaches for working around the absence of TIOCSTI availability. What are they and what are their pros and cons?

Alternative approach: default kernel configuration override

• How to:
  • Override default kernel parameter CONFIG_LEGACY_TIOCSTI=y (compilation),
    at runtime using sysctl:
    • sysctl -w dev.tty.legacy_tiocsti=1
• Diagnostics:
  • sysctl kernel.osrelease
  • sysctl -a | grep tiocsti
• Pros:
  • HSTR can use TIOCSTI and therefore works without any modification.
• Cons:
  • Malicious processes can use re-enabled TIOCSTI as described in the abstract.

Alternative approach: Richard Lindberg solution:

...

Alternative approach: Pseudo-terminals (ptys)

...

NEXT STEPS

Enhancements to implement:

• HSTR binary to detect TIOCSTI availability and whether HSTR
  is configured in the shell (HSTR function availability in the environment)
  and based on that echo instructions of how to properly configure HSTR:
  • TIOCSTI is not available and HSTR is not properly configured - shell
    function which injects commands to the terminal is not set. Use
    hstr --show-configuration command to get configuration to be added
    to your .bashrc / .zshrc (based on which shell you use)

RESOURCES

Resources:

• https://en.wikipedia.org/wiki/Ioctl
  • ioctl() kernel syscall for device-specific input/output
    operation.
• https://tldp.org/LDP/lpg/lpg.html
  • ioctl() documentation in LPG
• https://github.com/dvorka/hstr
  • HSTR - bash and zsh shell history suggest box - easily view, navigate, search and manage your command history.
• TIOCSTI ☔ issue #531
  • HSTR's TIOCSTI umbrella issue.
• https://tiswww.case.edu/php/chet/readline/readline.html
  • GNU Readline Library documentation