Linux Kernel TTY Subsystem Privilege Escalation Vulnerability via TIOCL_SELMOUSEREPORT

A vulnerability in the Linux kernel's TTY subsystem allows for privilege escalation by misusing the TIOCL_SELMOUSEREPORT IOCTL. This IOCTL, intended for mouse daemons like GPM or Consolation, can be exploited to inject simulated mouse movements into command-line applications, potentially leading to unauthorized interaction with those programs. The issue arises from an inconsistency in how the TIOCL_SELMOUSEREPORT mode is handled, allowing exploitation under certain conditions.

Impact

Exploitation of this vulnerability could enable an attacker to inject mouse movements into applications running on the same terminal, potentially interfering with their normal operation or input processing.

Reproduction

To reproduce this vulnerability, first ensure that a mouse daemon such as GPM or Consolation is running, as these are the intended users of the TIOCL_SELMOUSEREPORT IOCTL. Once the daemon is active, the vulnerability can be exploited by sending TIOCL_SELMOUSEREPORT IOCTL commands to the TTY subsystem. This can be done through a C program or script that has the necessary permissions to interact with the TTY device. The injected mouse reports can then be misinterpreted by applications that do not expect input in the X11 mouse protocol form, similar to how keyboard input was previously simulated with TIOCSTI.

Remediation

The vulnerability has been addressed by reverting the requirement for CAP_SYS_ADMIN for TIOCL_SELMOUSEREPORT to its previous state, ensuring that only authorized users can access this functionality.