[15365] in bugtraq
Re: Splitvt exploit
daemon@ATHENA.MIT.EDU (Joey Hess)
Fri Jun 16 12:54:05 2000
Mail-Followup-To: Thomas Biege <thomas@SUSE.DE>, BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000615164901.T6679@kitenet.net>
Date: Thu, 15 Jun 2000 16:49:01 -0700
Reply-To: Joey Hess <joey@KITENET.NET>
From: Joey Hess <joey@KITENET.NET>
X-To: Thomas Biege <thomas@SUSE.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.05.10006151927230.18800-100000@Galois.suse.de>; from
thomas@SUSE.DE on Thu, Jun 15, 2000 at 07:28:18PM +0200
Thomas Biege wrote:
> splitvt isn't installed setuid on SuSE Linux.
So how does it work?
If it's not setuid, and has not been patched to use devpts, it has no
way of chowning the tty's it uses. That means that when you run splitvt,
you are typing into a shell that is connected to a tty that is
(typically) mode:
crw-rw-rw- 1 root tty 3, 176 Jun 14 14:53 /dev/ttya0
Thus, third parties can eg, write escape sequences to the terminal, and
possibly remap keystrokes to do evil things. And they can certianly
capture your keystokes to that terminal.
--
see shy jo
