Re: Securax Advisory 13 (from bugtraq)

[Crist Clark <crist.clark () GLOBALSTAR COM>]

[Ouch. Your paragraphs are all on one line. Could you wrap at 72 characters
or so?]

John Herron wrote:
> Ok, I was a little upset to see this posted since I was working on this a while back (few months ago) but wanted to 
> get an actual result rather than a DoS so I never considerred posting it, but as we've seen a few people wrote 
> scripts before  that too so I can't complain.  Ya snooze ya lose.
>
> What I wanted to mention is instead of just a DoS (which IS theoretically doable, if you can keep each ttyp* in use 
> or if you can continuously send a character to each one and then repeat (although it'd have to be fast to truly keep 
> anyone off the system)).  What I was trying to do (this is in FreeBSD 4.x btw) is when I do a "more /dev/ttyp1" (just 
> use the next available ttyp after you), type anything "ls -a", then telnet into that machine.  Once you telnet in, 
> FreeBSD seems to use the first available tty (in this case ttyp1), it opens it, disconnects the person trying to 
> connect and on ttyp0 (or whatever your original tty was when you did the "more") it will run the command you typed 
> (ls -a).

Hmmm... You do this?

  $ more /dev/ttyp1
  ls -a

So, uh, what's the point/exploit? That's pretty much the same as,

  $ sleep 60
  ls -a

Provided you can type the 'ls -a' in a minute. The 'ls -a' is just waiting
for the 'more' to finish before running. Or more accurately, your input
is being buffered until the 'more' is done running. But I don't see anything
special about using /dev/ttyp1.

> Since ttyp* are all owned by root/wheel I was trying to see if there was a way to pull off getting a command to run 
> as root (in my case I was always just trying "more /etc/master.passwd").  I was able to create a link (hard link 
> though) in the /tmp directory for it, but that doesn't do anything neat except I can edit that file and it will also 
> deny that terminal (the pain is that the file in the tmp directory "bla" is also root/wheel so I as a normal user 
> can't delete it (and I'm just commenting.. I just go in as root and kill it since its my box but I'm trying to do 
> these tricks w/o any privaledges)).

As you noticed, creating a hardlink gives you nothing. And what does
making the hardlink have to do with /dev/ttyp1? You can just,

  $ cd /tmp
  $ ln /etc/master.passwd .

And do who what you say, right? This is normal behavior.

> A symbolic link only creates me bla2->/dev/ttyp1 which again, acts like editting ttyp1 but again I can't (also don't 
> really know how) if I could just write a script to do a command THEN ln /dev/ttyp1 /tmp/bla2 but that doesn't work 
> for me so I can't try a symbolic link attack (as far as I understand how it works).

Again, where are you going here? What is the security hole you are
trying to exploit? Anyone can create a symbolic link pointing to anything
they'd like provided they can write the parent directory.

> I'm obviously not a skilled hacker, just a person that has the interest at this stage so I can only screw around.  I 
> figure you all probably know if theres any potential here.  Any ideas?  Also, one last thing.. as user "guest" (group 
> guest) whenever I create a file its getting created as group "wheel".. should that be happenning? (it does it even 
> when I logged out and back in)

This is probably the expected behavior. In BSD-type OSes, a new file
is created with the group of its parent directory. Is that the group
of the directory you are in?
--
Crist J. Clark                                Network Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926