Insecure pty permissions in OS X < 10.4

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Insecure pty permissions in OS X < 10.4
From: Matt Johnston <matt@xxxxxxxxxx>
Date: Sun, 1 May 2005 17:14:35 +0800
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mutt/1.5.6+20040907i

Hi all.

Mac OS X 10.3.x and earlier doesn't provide any mechanism
for non-setuid-root programs to change permissions on ptys.

Hence xterms, screen sessions, and Terminal.app windows (with
explicitly specified commands) are vulnerable to tty
sniffing. Note that using Terminal.app's standard terminal
with /usr/bin/login is safe since login is setuid root.

An example:

arctic:~> screen
... new screen session starts ...
arctic:~> ls -l $TTY
crw-rw-rw-  1 root  wheel    4,   2  1 May 16:44 /dev/ttyp2

This problem is fixed in 10.4, the devfs appears to be
setting permissions on openpty() or something (I haven't
looked at the mechanism yet). Apple were notified of the
problem on 20 July 2004. 


It's good to see that 10.4 has optional encrypted swap,
resolving the separate issue of passwords being swapped to
disk (fixing it for 3rd party apps as well).

Matt

Prev by Date: Clients format string and server crash in Mtp-Target 1.2.2
Next by Date: Re: Apache hacks (./atac, d0s.txt)
Previous by thread: Clients format string and server crash in Mtp-Target 1.2.2
Next by thread: Microsoft WINS Vulnerability + OS/SP Scanner
Index(es):
- Date
- Thread