[17557] in bugtraq
Re: vlock vulnerability (solution: w00w00's CAP)
daemon@ATHENA.MIT.EDU (Matt Conover)
Wed Nov 8 14:49:49 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSF.4.21.0011071218240.83592-100000@camel.ethereal.net>
Date: Tue, 7 Nov 2000 12:37:17 -0800
Reply-To: Matt Conover <shok@CAMEL.ETHEREAL.NET>
From: Matt Conover <shok@CAMEL.ETHEREAL.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <001f01c04888$f18d3810$d400000a@bart>
I didn't verify this vulnerability (I don't have vlock), but w00w00 made a
related utility a few years ago called CAP (Console Access
Protection) that does not have this vulnerability (AFAIK).
It was written in conjunction with an article on console IOCTLs
(http://www.w00w00.org/articles.html). CAP is available at
http://www.w00w00.org/files/misc/conutils/CAP.c. It will prevent new
login attempts after three failures for three minutes (or as defined), so
the method you used will not work either. In addition, once the password
is properly entered, it states whether the terminal had previously been
access and the number of failed attempts. The password to unlock will be
the root's password. It will support both shadowed and non-shadowed if
NO_USE_SHADOW is defined.
CTRL-ALT-DEL isn't blocked because it serves little purpose (though
it can be disabled through a sysctl). Other than rebooting, there is no
practical way to get around it. I'm assuming the administrator will sit
there until ioctl() to lock the terminal completes (a few clock ticks).
Matt
On Tue, 7 Nov 2000, Bartlomiej Grzybicki wrote:
> I've tried to lock all virtual consoles
> in RedHat 7.0 using vlock, which
> is delivered with this release of RedHat.
>
> If user root locks all consoles - it's no problem,
> but if normal user locks consoles then
> anybody can unlock without typing a password.
>
> Try to use it in the following way:
>
> 1. logon as an ordinary user on tty1
> 2. logon as root on tty2
> 3. Type on tty1 vlock -a
> 4. All consoles will be locked.
> 5. When vlock asks for password
> press ENTER and don't release the key
> until you see message 'broken pipe'.
> 6. If you see it all two consoles are unlocked.
>
> Regards,
>
> Bartlomiej Grzybicki ############################
> MORLINY SA http://www.morliny.pl
> bgrzybicki@morliny.pl http://www.bgrzybicki.morliny.pl
> mobile: +48 601 279 976 ########################
>
