[15391] in bugtraq
Re: Fwd: Re: Splitvt exploit
daemon@ATHENA.MIT.EDU (Thomas Biege)
Tue Jun 20 04:26:50 2000
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.05.10006200831270.15347-100000@Galois.suse.de>
Date: Tue, 20 Jun 2000 08:36:11 +0200
Reply-To: Thomas Biege <thomas@SUSE.DE>
From: Thomas Biege <thomas@SUSE.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <00061920562900.05142@wintermute>
Hi,
> > splitvt isn't installed setuid on SuSE Linux.
>
> So how does it work?
>
> If it's not setuid, and has not been patched to use devpts, it has no
> way of chowning the tty's it uses. That means that when you run splitvt,
> you are typing into a shell that is connected to a tty that is
> (typically) mode:
>
> crw-rw-rw- 1 root tty 3, 176 Jun 14 14:53 /dev/ttya0
>
> Thus, third parties can eg, write escape sequences to the terminal, and
> possibly remap keystrokes to do evil things. And they can certianly
> capture your keystokes to that terminal.
Yes, you're right.
We're currently testing splitvt with the /dev/pts stuff.... thanks for
that hint.
Bye,
Thomas
--
Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
E@mail: thomas@suse.de Function: Security Support & Auditing
"lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka"
Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47
