CVE-2023-46277
📋 TL;DR
CVE-2023-46277 is a privilege escalation vulnerability in the 'please' (pleaser) sudo alternative tool versions through 0.5.4. It allows local attackers to inject commands into terminal input buffers using TIOCSTI/TIOCLINUX ioctl calls, potentially gaining root privileges. Users of pleaser versions ≤0.5.4 on Linux systems are affected.
💻 Affected Systems
- please (pleaser)
📦 What is this software?
Please by Edneville
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full root privileges on the system, enabling complete system compromise, data theft, and persistence.
Likely Case
Local user with limited privileges escalates to root to install malware, access sensitive data, or modify system configurations.
If Mitigated
Attack fails if TIOCSTI and TIOCLINUX ioctls are disabled via kernel hardening or pleaser configuration.
🎯 Exploit Status
Exploit requires local shell access. Proof-of-concept code is available in advisory references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 0.5.5 and later
Vendor Advisory: https://rustsec.org/advisories/RUSTSEC-2023-0066.html
Restart Required: No
Instructions:
1. Update pleaser to version 0.5.5 or later using your package manager. 2. For Rust/Cargo installations: run 'cargo update pleaser'. 3. Verify the update with 'pleaser --version'.
🔧 Temporary Workarounds
Disable vulnerable ioctls via kernel parameters
linuxAdd kernel boot parameters to disable TIOCSTI and TIOCLINUX ioctls system-wide
Add 'ioctl.disable_tiocsti=1 ioctl.disable_tioclinux=1' to GRUB_CMDLINE_LINUX in /etc/default/grub
Run 'sudo update-grub' and reboot
Remove pleaser setuid bit
linuxTemporarily remove setuid privilege from pleaser binary to prevent privilege escalation
sudo chmod u-s $(which pleaser)
🧯 If You Can't Patch
- Restrict pleaser usage to trusted users only via sudoers configuration
- Monitor for suspicious pleaser execution patterns and command injection attempts
🔍 How to Verify
Check if Vulnerable:
Run 'pleaser --version' and check if version is ≤0.5.4. Also verify if pleaser binary has setuid bit set with 'ls -la $(which pleaser)'.Check Version:
pleaser --versionVerify Fix Applied:
Confirm pleaser version is ≥0.5.5 with 'pleaser --version'. Test that command injection via TIOCSTI no longer works.📡 Detection & Monitoring
Log Indicators:
- Unusual pleaser execution patterns
- Multiple failed privilege escalation attempts
- Suspicious command injection in terminal sessions
Network Indicators:
- None - this is a local attack
SIEM Query:
process.name:"pleaser" AND event.action:"privilege_escalation" OR command_line:"TIOCSTI" OR command_line:"TIOCLINUX"🔗 References
- https://github.com/rustsec/advisory-db/pull/1798
- https://gitlab.com/edneville/please/-/issues/13
- https://gitlab.com/edneville/please/-/merge_requests/69#note_1594254575
- https://rustsec.org/advisories/RUSTSEC-2023-0066.html
- https://github.com/rustsec/advisory-db/pull/1798
- https://gitlab.com/edneville/please/-/issues/13
- https://gitlab.com/edneville/please/-/merge_requests/69#note_1594254575
- https://rustsec.org/advisories/RUSTSEC-2023-0066.html
