CVE-2023-46277

Vulnerability

CVE-2023-46277 affects please (also known as pleaser) through version 0.5.4, a privilege escalation tool. The vulnerability stems from the program's failure to restrict the TIOCSTI and TIOCLINUX ioctl operations, which can be abused to inject keystrokes into the parent terminal. If both ioctls are disabled system-wide, the issue is not exploitable [1][2].

Exploitation

An attacker with local access and low privileges can exploit this by crafting a program that uses the TIOCSTI ioctl to push arbitrary keystrokes—such as commands—into the terminal input buffer. The attack requires user interaction (the victim must run the malicious binary via please) and depends on the terminal being a real TTY (not a PTY). A proof-of-concept is publicly available, demonstrating how a user can escalate to run commands as another user (e.g., nobody) when please is setuid and configured accordingly [3].

Impact

Successful exploitation allows a local attacker to escalate privileges to the target user specified in the please configuration. The CVSS 3.1 score is 4.6 (Medium), with attack vector local, low complexity, and changed scope. The impact includes potential compromise of confidentiality and integrity of data accessible by the target user [2].

Mitigation

No patched version of please is available as of the advisory date. Users are advised to disable the legacy TIOCSTI ioctl on their systems (via sysctl dev.tty.legacy_tiocsti=0) or to use a PTY-based workaround. The issue was reported in April 2023 and remains unpatched, leaving affected installations exposed [2][4].