[4391] in bugtraq
Re: [linux-security] Yet Another DIP Exploit?
daemon@ATHENA.MIT.EDU (Uri Blumenthal)
Thu May 1 16:34:54 1997
Date: Thu, 1 May 1997 14:46:54 -0400
Reply-To: uri@watson.ibm.com
From: Uri Blumenthal <uri@WATSON.IBM.COM>
X-To: linux-security@redhat.com
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.91.970430005748.4392A-100000@warrior.0wned.org> from
"George Staikos" at Apr 30, 97 01:23:28 am
George Staikos says:
> I seem to have stumbled across another vulnerability in DIP. It
> appears to allow any user to gain control of arbitrary devices in /dev.
> For instance, I have successfully stolen keystrokes from a root login as
> follows... (I could also dump characters to the root console)
Well, of course. This will be true for as long as the tty devices
are not rw by "other".
> DIP> port tty1
> DIP> echo on
> DIP> term
>
> I'm sure there are many more creative things to do with this, but this is
> the first thing that came to mind when I discovered it, and is a good
> example of what can be done. Not all devices are accessible. I have not
> looked into the patch at this time, but I recommend chmod u-s dip, as
> usual! :)
If you do "u-s", you break dip for every non-root user. There is no
patch I can think of. It is assumed that whoever is allowed to dip
outside, is trusted enough and "dip" is not executable by "other".
Feel free to post or e-mail a constructive recommendation/patch.
--
Regards,
Uri uri@watson.ibm.com
-=-=-=-=-=-=-
<Disclaimer>
