[1522] in linux-security and linux-alert archive
[linux-security] Re: Yet Another DIP Exploit?
daemon@ATHENA.MIT.EDU (Ingo Rammer)
Thu May 1 11:56:52 1997
From: "Ingo Rammer" <rammeri@winternet.co.at>
To: <linux-security@redhat.com>
Date: Thu, 1 May 1997 14:37:24 +0200
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com
> I seem to have stumbled across another vulnerability in DIP. It
>appears to allow any user to gain control of arbitrary devices in /dev.
>For instance, I have successfully stolen keystrokes from a root login as
>follows... (I could also dump characters to the root console)
I think this is a problem with your setup, because in my quite
out-of-the-box redhat 4.0 it is differently:
$ ls -l /usr/sbin/dip <---- so you can see it's setuid root
-rwsr-sr-x 1 root uucp 69972 Sep 3 1996 /usr/sbin/dip
$ whoami
ingo
$ cat < /dev/tty1 <------ root login here
bash: /dev/tty1: Permission denied <------ nope, we can see it
$ dip -t
DIP: Dialup IP Protocol Driver version 3.3.7o-uri (8 Feb 96)
Written by Fred N. van Kempen, MicroWalt Corporation.
DIP> port tty1
DIP: tty: open(/dev/tty1, RW): Permission denied
$
no security-problem here, it checks the perms correctly.
Ingo