[bahorn]

This is not a real bug and the trick is possible with sudo if you just hijack the parent process of sudo with reptyr instead of sudo directly.

Also seems a bit absurd to try and pretend there is a security boundary between processes started by the same user. You could already do PATH trickery here, a time honoured tradition.

[bahorn]

I put a bit further thought into this. The claim is that because the pty has user permissions its possible to hijack it, but that really hasn't been true for years which is why the two PoC do things like use reptyr (involves replacing fd's with ptrace [1], needing either a parent relationship or capabilities that aren't default) or running a command like netcat directly from the pty you want to control [2] (essentially ttyjack [3]).

If you look at the implementation of TIOCSTI [4], 99% sure this is what the new PoC is doing, you can see why you can't do this across ttys. This goes back ages, even into some 2.6 kernels it seems before I got bored going back kernel versions.

I went and tested all this on a Ubuntu 22.04 box, not possible unless there is a new trick to hijack ttys. I tried the TIOCLINUX across ttys physically at the machine and that didn't work either.

[1] https://blog.nelhage.com/2014/08/new-reptyr-feature-tty-stea... [2] https://twitter.com/hackerfantastic/status/17860809689581612... [3] https://github.com/jwilk/ttyjack [4] https://elixir.bootlin.com/linux/latest/source/drivers/tty/t...