NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2001-01

Subject: Re: Securax Advisory 13
From: Michal Zalewski (lcamtufDIONE.IDS.PL)
Date: Tue Jan 02 2001 - 13:55:10 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 1 Jan 2001, incubus wrote:

> when someone telnets to a unix system, the tty that will be assigned
> to him will be writable for any user on the system. However, when he
> is logged in, his tty will not be writable for all users. So if
> someone would write data to a tty that is currently used by someone
> who's logging in, that person won't be able to log in.

Completely wrong:

a) first of all, modern Linux boxes have dynamic pts allocation scheme
   (devpts or Unix '98 ptys). In this case, pts lives as long as you
   are using it, and is NOT a static object which is world-writable
   before use,

b) then, whenever this mechanism is not available, which is the case
   you are talking about, it works this way: in order to open /dev/ttypa0
   (for example), you have to open /dev/ptya0 (master + slave device
   scheme); as long as you are using pseudo-terminal (read: as long you
   own the fd), it wouldn't be allocated by anyone else (because
   /dev/ptya0 cannot be re-opened - it is exclusive access). So, as long
   as you are keeping a descriptor to the pseudo-terminal device, it
   wouldn't be reused. Period. You cannot keep the fd using background
   process, logout, log in again and have the same tty.

Please read the documentation.

[lcamtufsquirrel:6 lcamtuf]$ cat /dev/ttyb1
cat: /dev/ttyb1: B³±d wej¶cia/wyj¶cia

(cannot access slave without opening master)

[lcamtufsquirrel:6 lcamtuf]$ cat /dev/ptyb1 &
[1] 6296
[lcamtufsquirrel:6 lcamtuf]$ cat /dev/ptyb1
cat: /dev/ptyb1: I/O error

(can open master only once)

[lcamtufsquirrel:6 lcamtuf]$ cat /dev/ttyb1 &
[2] 6298
[lcamtufsquirrel:6 lcamtuf]$ kill -9 6296
[1]- Killed cat /dev/ptyb1
[2]+ Done cat /dev/ttyb1

(you cannot keep the fd after closing the master)

> bzero(tty, sizeof(tty));
> strcat(tty, "/dev/tty4"); /* change to tty you want */

Real terminals (ttys) are having completely different mechanism and are
NOT used for remote (eg. telnet) system access. And even in this case, you
have so-called terminal hangup mechanism, which will protect you against
such attacks, btw.

> write(fd, string, sizeof(string));

...consider TIOCSTI, btw...

-- 
_______________________________________________________
Michal Zalewski [lcamtuftpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=--=> Did you know that clones never use mirrors? <=--=

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]