Issue:
Malware could switch to another tty. Malware could pull the user from an emergency session tty back to the active VT used by the graphical session, where the malware runs.
(But malware cannot attempt to log in to the other tty or feed any data.)
This issue is unspecific to Kicksecure. Probably most Linux distributions are affected.
Security impact:
This is primarily an availability issue because malware can disrupt or interrupt use of another tty by forcibly switching the visible terminal. It can also aid social engineering by pulling the user back into a compromised graphical session, for example to increase the effectiveness of login spoofing or other deceptive prompts. By itself, this does not appear to be a direct integrity issue, and any confidentiality impact would likely be indirect and only in combination with other attacks.
How to reproduce:
- log in into a
tty3 - switch back to the graphical session
tty chvt 3 && sleep 3 && chvt 2
This works which is a bit scary.
(chvt can force a terminal switch even when the user is currently interacting with a root shell.)
This forced terminal change is something I’d like to fix.
Non-solutions:
- “Require sudo”:
chvtdoes not require sudo/root. - “Set chvt noSUID”:
chvtis already non-suid. - “Delete chvt”:
chvtis a user-space utility. Malware could ship the same tool or malware could run the same syscall. Deletingchvttherefore does not accomplish very much. /etc/security/access.conf: Is only PAM configuration file. Has no effect onchvt.
Real solution:
The only solution is a proper technical fix, such as a kernel or permissions fix, or distribution hardening. This remains unspecified because no known solution exists.
Related wiki chapters:
- virtual terminal or also known as Virtual Consoles)
- Console Login Attacks