[18401] in bugtraq
Re: Securax Advisory 13
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Tue Jan 2 18:58:21 2001
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=ISO-8859-2
Message-Id: <Pine.LNX.4.30.0101022041530.30270-100000@dione.ids.pl>
Date: Tue, 2 Jan 2001 20:55:10 +0100
Reply-To: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
From: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
X-To: incubus <incubus@SECURAX.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <001701c07403$d18d5bc0$8656e0d5@pandora.be>
Content-Transfer-Encoding: 8bit
On Mon, 1 Jan 2001, incubus wrote:
> when someone telnets to a unix system, the tty that will be assigned
> to him will be writable for any user on the system. However, when he
> is logged in, his tty will not be writable for all users. So if
> someone would write data to a tty that is currently used by someone
> who's logging in, that person won't be able to log in.
Completely wrong:
a) first of all, modern Linux boxes have dynamic pts allocation scheme
(devpts or Unix '98 ptys). In this case, pts lives as long as you
are using it, and is NOT a static object which is world-writable
before use,
b) then, whenever this mechanism is not available, which is the case
you are talking about, it works this way: in order to open /dev/ttypa0
(for example), you have to open /dev/ptya0 (master + slave device
scheme); as long as you are using pseudo-terminal (read: as long you
own the fd), it wouldn't be allocated by anyone else (because
/dev/ptya0 cannot be re-opened - it is exclusive access). So, as long
as you are keeping a descriptor to the pseudo-terminal device, it
wouldn't be reused. Period. You cannot keep the fd using background
process, logout, log in again and have the same tty.
Please read the documentation.
[lcamtuf@squirrel:6 lcamtuf]$ cat /dev/ttyb1
cat: /dev/ttyb1: Błąd wejścia/wyjścia
(cannot access slave without opening master)
[lcamtuf@squirrel:6 lcamtuf]$ cat /dev/ptyb1 &
[1] 6296
[lcamtuf@squirrel:6 lcamtuf]$ cat /dev/ptyb1
cat: /dev/ptyb1: I/O error
(can open master only once)
[lcamtuf@squirrel:6 lcamtuf]$ cat /dev/ttyb1 &
[2] 6298
[lcamtuf@squirrel:6 lcamtuf]$ kill -9 6296
[1]- Killed cat /dev/ptyb1
[2]+ Done cat /dev/ttyb1
(you cannot keep the fd after closing the master)
> bzero(tty, sizeof(tty));
> strcat(tty, "/dev/tty4"); /* change to tty you want */
Real terminals (ttys) are having completely different mechanism and are
NOT used for remote (eg. telnet) system access. And even in this case, you
have so-called terminal hangup mechanism, which will protect you against
such attacks, btw.
> write(fd, string, sizeof(string));
...consider TIOCSTI, btw...
--
_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=--=> Did you know that clones never use mirrors? <=--=
