[1522] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: Yet Another DIP Exploit?

daemon@ATHENA.MIT.EDU (Ingo Rammer)
Thu May 1 11:56:52 1997

From: "Ingo Rammer" <rammeri@winternet.co.at>
To: <linux-security@redhat.com>
Date: Thu, 1 May 1997 14:37:24 +0200
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com

>   I seem to have stumbled across another vulnerability in DIP.  It
>appears to allow any user to gain control of arbitrary devices in /dev.
>For instance, I have successfully stolen keystrokes from a root login as
>follows...  (I could also dump characters to the root console)

I think this is a problem with your setup, because in my quite
out-of-the-box redhat 4.0 it is differently:

$ ls -l /usr/sbin/dip         <---- so you can see it's setuid root
-rwsr-sr-x     1    root    uucp    69972   Sep   3  1996  /usr/sbin/dip
$ whoami
ingo
$ cat < /dev/tty1                    <------ root login here
bash: /dev/tty1: Permission denied   <------ nope, we can see it
$ dip -t
DIP: Dialup IP Protocol Driver version 3.3.7o-uri (8 Feb 96)
Written by Fred N. van Kempen, MicroWalt Corporation.

DIP> port tty1
DIP: tty: open(/dev/tty1, RW): Permission denied
$


no security-problem here, it checks the perms correctly.

Ingo


home help back first fref pref prev next nref lref last post