lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 14 Jul 2004 12:26:30 +0200
From: lorenzo <lagrespan@...il.com>
To: Maarten Tielemans <ttielu_dainfracrew@...mail.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: [security] aterm 0.4.2 tty permission weakness


On 13 Jul 2004 16:04:18 -0000, Maarten Tielemans
<ttielu_dainfracrew@...mail.com> wrote:
> Aterm has an issue with creating a terminal.
> A quick 'ls –al' on a aterm with 'mesg y' shows:
> crw--w--w-  1 alsdk  users    5,   3 Jul 13 17:27 /dev/ttyp3
> with 'mesg n':
> crw-----w-  1 alsdk  users    5,   3 Jul 13 17:28 /dev/ttyp3

on debian unstable, with aterm 0.4.2:

 [1] k@...o:~ 4$ aterm -V
aterm version 0.4.2

let's see who's online

 [2] k@...o:~ 4$ w     
 12:19:27 up 25 min,  2 users,  load average: 0.02, 0.05, 0.10
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
k        pts/1    :0.0             11:57   23.00s  0.15s  0.03s /usr/bin/aterm
k        pts/4    :0.0             12:19    0.00s  0.15s  0.00s w

now let's see their pts:

 [3] k@...o:~ 4$ ls -la /dev/pts/?
crw-------    1 k        tty      136,   1 Jul 14 12:19 /dev/pts/1
crw--w----    1 k        tty      136,   4 Jul 14 12:19 /dev/pts/4

disabling messages

 [4] k@...o:~ 4$ mesg n
 [5] k@...o:~ 4$ ls -la /dev/pts/4
crw-------    1 k        tty      136,   4 Jul 14 12:19 /dev/pts/4

looks ok to me.

> 1) World (nobody) is able to 'echo' or 'cat' towards the terminal
> echo "hello" >> /dev/ttyp3
> cat mkdir >> /dev/ttyp3

 [6] k@...o:~ 4$ cat mkdir >> /dev/pts/4
cat: mkdir: No such file or directory
..what was the purpose of that? insecure file creation?
the worst thing you could do is

echo "y0u have b33n 0wn3d" >> /dev/pts/x

> Advice: use xterm

well this won't solve the problem. what if xterm has some other small
vulnerability? would you advice to use kconsole next time?

-- 
:lorenzo a. grespan --- GNU/Linux User Group Mantova - Italy
http://lorien.lacasadeifili.net
GPG Key fingerprint = 5372 1B49 9E61 747C FB9A  4DAE 5D2A A9A0 74B4 8F1A

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ