Re: [security] aterm 0.4.2 tty permission weakness

[lorenzo <lagrespan () gmail com>]

On 13 Jul 2004 16:04:18 -0000, Maarten Tielemans
<ttielu_dainfracrew () hotmail com> wrote:
> Aterm has an issue with creating a terminal.
> A quick 'ls –al' on a aterm with 'mesg y' shows:
> crw--w--w-  1 alsdk  users    5,   3 Jul 13 17:27 /dev/ttyp3
> with 'mesg n':
> crw-----w-  1 alsdk  users    5,   3 Jul 13 17:28 /dev/ttyp3

on debian unstable, with aterm 0.4.2:

 [1] k@nemo:~ 4$ aterm -V
aterm version 0.4.2

let's see who's online

 [2] k@nemo:~ 4$ w     
 12:19:27 up 25 min,  2 users,  load average: 0.02, 0.05, 0.10
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
k        pts/1    :0.0             11:57   23.00s  0.15s  0.03s /usr/bin/aterm
k        pts/4    :0.0             12:19    0.00s  0.15s  0.00s w

now let's see their pts:

 [3] k@nemo:~ 4$ ls -la /dev/pts/?
crw-------    1 k        tty      136,   1 Jul 14 12:19 /dev/pts/1
crw--w----    1 k        tty      136,   4 Jul 14 12:19 /dev/pts/4

disabling messages

 [4] k@nemo:~ 4$ mesg n
 [5] k@nemo:~ 4$ ls -la /dev/pts/4
crw-------    1 k        tty      136,   4 Jul 14 12:19 /dev/pts/4

looks ok to me.

> 1) World (nobody) is able to 'echo' or 'cat' towards the terminal
> echo "hello" >> /dev/ttyp3
> cat mkdir >> /dev/ttyp3

 [6] k@nemo:~ 4$ cat mkdir >> /dev/pts/4
cat: mkdir: No such file or directory
..what was the purpose of that? insecure file creation?
the worst thing you could do is

echo "y0u have b33n 0wn3d" >> /dev/pts/x

> Advice: use xterm

well this won't solve the problem. what if xterm has some other small
vulnerability? would you advice to use kconsole next time?

-- 
:lorenzo a. grespan --- GNU/Linux User Group Mantova - Italy
http://lorien.lacasadeifili.net
GPG Key fingerprint = 5372 1B49 9E61 747C FB9A  4DAE 5D2A A9A0 74B4 8F1A