Re: [security] aterm 0.4.2 tty permission weakness
On 13 Jul 2004 16:04:18 -0000, Maarten Tielemans
<ttielu_dainfracrew@xxxxxxxxxxx> wrote:
> Aterm has an issue with creating a terminal.
> A quick 'ls ?al' on a aterm with 'mesg y' shows:
> crw--w--w- 1 alsdk users 5, 3 Jul 13 17:27 /dev/ttyp3
> with 'mesg n':
> crw-----w- 1 alsdk users 5, 3 Jul 13 17:28 /dev/ttyp3
on debian unstable, with aterm 0.4.2:
[1] k@nemo:~ 4$ aterm -V
aterm version 0.4.2
let's see who's online
[2] k@nemo:~ 4$ w
12:19:27 up 25 min, 2 users, load average: 0.02, 0.05, 0.10
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
k pts/1 :0.0 11:57 23.00s 0.15s 0.03s /usr/bin/aterm
k pts/4 :0.0 12:19 0.00s 0.15s 0.00s w
now let's see their pts:
[3] k@nemo:~ 4$ ls -la /dev/pts/?
crw------- 1 k tty 136, 1 Jul 14 12:19 /dev/pts/1
crw--w---- 1 k tty 136, 4 Jul 14 12:19 /dev/pts/4
disabling messages
[4] k@nemo:~ 4$ mesg n
[5] k@nemo:~ 4$ ls -la /dev/pts/4
crw------- 1 k tty 136, 4 Jul 14 12:19 /dev/pts/4
looks ok to me.
> 1) World (nobody) is able to 'echo' or 'cat' towards the terminal
> echo "hello" >> /dev/ttyp3
> cat mkdir >> /dev/ttyp3
[6] k@nemo:~ 4$ cat mkdir >> /dev/pts/4
cat: mkdir: No such file or directory
..what was the purpose of that? insecure file creation?
the worst thing you could do is
echo "y0u have b33n 0wn3d" >> /dev/pts/x
> Advice: use xterm
well this won't solve the problem. what if xterm has some other small
vulnerability? would you advice to use kconsole next time?
--
:lorenzo a. grespan --- GNU/Linux User Group Mantova - Italy
http://lorien.lacasadeifili.net
GPG Key fingerprint = 5372 1B49 9E61 747C FB9A 4DAE 5D2A A9A0 74B4 8F1A