Bugtraq mailing list archives

Re: Fwd: Re: Splitvt exploit

From: thomas () SUSE DE (Thomas Biege)
Date: Tue, 20 Jun 2000 08:36:11 +0200

Hi,

splitvt isn't installed setuid on SuSE Linux.


So how does it work?

If it's not setuid, and has not been patched to use devpts, it has no
way of chowning the tty's it uses. That means that when you run splitvt,
you are typing into a shell that is connected to a tty that is
(typically) mode:

crw-rw-rw-    1 root     tty        3, 176 Jun 14 14:53 /dev/ttya0

Thus, third parties can eg, write escape sequences to the terminal, and
possibly remap keystrokes to do evil things. And they can certianly
capture your keystokes to that terminal.


Yes, you're right.

We're currently testing splitvt with the /dev/pts stuff.... thanks for
that hint.

Bye,
     Thomas

--
  Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
  E@mail: thomas () suse de      Function: Security Support & Auditing
  "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka"
   Key fingerprint = 09 48 F2 FD 81 F7 E7 98  6D C7 36 F1 96 6A 12 47

Current thread:

Re: Splitvt exploit Thomas Biege (Jun 15)
- Re: Splitvt exploit Joey Hess (Jun 15)
- <Possible follow-ups>
- Re: Fwd: Re: Splitvt exploit Thomas Biege (Jun 19)