Bugtraq mailing list archives
Re: pt_chmod
From: belal () sco COM (Bela Lubkin)
Date: Sun, 4 Dec 1994 00:19:34 -0800
Peter Wemm wrote:
Hmm. something else I though of too. Imagine: root is logged in on /dev/pts/34, and has the tty set to mode 0622. Guess what this would do if you were a normal user: /usr/lib/pt_chmod 1 > /dev/pts/34 You could then TIOCSTI to your hearts content.
We don't support TIOCSTI, at least partly for security reasons (that, and it's never appeared in any of the standards we support -- is it in Spec1170?) Of course, if you own someone's tty they're screwed anyway. SCO UNIX sets ttys to group terminal, 600, or 620 for writable, so the attacker wouldn't be able to do this in the first place.
A plea to OS programmers: *dont* use "chown" on the result of the ptsname() - use fchown() - the user might have passed a fd in that's from a network mounted partition in an attempt to change the ownership of the local alias of the device.
This won't work: the fd that's passed to ptsname() is a nameless clone inode, the master side of the pty. (Try it -- compile your pt_chmod replacement, add in an fstat call and print out the rdev; compare with the expected device # of the pty). The purpose of grantpt(), which is implemented via /usr/lib/pt_chmod, is to provide access to the slave side of this nameless master side device. The user program doesn't have the slave side open yet and won't be able to open it until it's been pt_chmod'd him. The ioctl that ptsname() calls only applies to the master side; ptsname() will return NULL when called on a slave side fd. This attack wouldn't work from an identical system anyway, since there wouldn't be a device node in the filesystem for the master side. From a system with a different major number mapping he can probably find some device (probably something less complex to attack than a pty) which is innocuous there but dangerous here. If he's root over there, he can just make one -- anywhere in any filesystem of his you've got mounted. So if your NFS does anything at all with device nodes, you're in trouble. In fact, NFS is pretty dangerous no matter how you slice it.
Bela<
Current thread:
- Re: pt_chmod Bela Lubkin (Dec 02)
- Re: pt_chmod Karl Strickland (Dec 03)
- Re: pt_chmod Peter Wemm (Dec 03)
- Re: pt_chmod Peter Wemm (Dec 04)
- Re: pt_chmod Casper Dik (Dec 04)
- <Possible follow-ups>
- Re: pt_chmod Bela Lubkin (Dec 03)
- SCO (was Re: pt_chmod) Karl Strickland (Dec 04)
- Re: pt_chmod Bela Lubkin (Dec 04)
- Re: pt_chmod Peter Wemm (Dec 04)
- Re: pt_chmod Jeff Smith (Dec 04)