Bugtraq mailing list archives

Re: pt_chmod

From: belal () sco COM (Bela Lubkin)
Date: Sun, 4 Dec 1994 00:19:34 -0800


Peter Wemm wrote:

Hmm. something else I though of too.  Imagine:  root is logged in on
/dev/pts/34, and has the tty set to mode 0622.  Guess what this would
do if you were a normal user: /usr/lib/pt_chmod 1 > /dev/pts/34
You could then TIOCSTI to your hearts content.


We don't support TIOCSTI, at least partly for security reasons (that,
and it's never appeared in any of the standards we support -- is it in
Spec1170?)  Of course, if you own someone's tty they're screwed anyway.

SCO UNIX sets ttys to group terminal, 600, or 620 for writable, so the
attacker wouldn't be able to do this in the first place.

A plea to OS programmers: 
*dont* use "chown" on the result of the ptsname() - use fchown() - the
user might have passed a fd in that's from a network mounted partition in
an attempt to change the ownership of the local alias of the device.


This won't work: the fd that's passed to ptsname() is a nameless clone
inode, the master side of the pty.  (Try it -- compile your pt_chmod
replacement, add in an fstat call and print out the rdev; compare with
the expected device # of the pty).  The purpose of grantpt(), which is
implemented via /usr/lib/pt_chmod, is to provide access to the slave
side of this nameless master side device.  The user program doesn't have
the slave side open yet and won't be able to open it until it's been
pt_chmod'd him.  The ioctl that ptsname() calls only applies to the
master side; ptsname() will return NULL when called on a slave side fd.

This attack wouldn't work from an identical system anyway, since there
wouldn't be a device node in the filesystem for the master side.  From a
system with a different major number mapping he can probably find some
device (probably something less complex to attack than a pty) which is
innocuous there but dangerous here.  If he's root over there, he can
just make one -- anywhere in any filesystem of his you've got mounted.
So if your NFS does anything at all with device nodes, you're in
trouble.  In fact, NFS is pretty dangerous no matter how you slice it.

Bela<

Current thread:

Re: pt_chmod Bela Lubkin (Dec 02)
- Re: pt_chmod Karl Strickland (Dec 03)
- Re: pt_chmod Peter Wemm (Dec 03)
  - Re: pt_chmod Peter Wemm (Dec 04)
  - Re: pt_chmod Casper Dik (Dec 04)
- <Possible follow-ups>
- Re: pt_chmod Bela Lubkin (Dec 03)
  - SCO (was Re: pt_chmod) Karl Strickland (Dec 04)
- Re: pt_chmod Bela Lubkin (Dec 04)
- Re: pt_chmod Peter Wemm (Dec 04)
  - Re: pt_chmod Jeff Smith (Dec 04)