Vulnerability Development mailing list archives
Re: Securax Advisory 13 (from bugtraq)
From: Crist Clark <crist.clark () GLOBALSTAR COM>
Date: Fri, 5 Jan 2001 10:41:13 -0800
[Ouch. Your paragraphs are all on one line. Could you wrap at 72 characters or so?] John Herron wrote:
Ok, I was a little upset to see this posted since I was working on this a while back (few months ago) but wanted to get an actual result rather than a DoS so I never considerred posting it, but as we've seen a few people wrote scripts before that too so I can't complain. Ya snooze ya lose. What I wanted to mention is instead of just a DoS (which IS theoretically doable, if you can keep each ttyp* in use or if you can continuously send a character to each one and then repeat (although it'd have to be fast to truly keep anyone off the system)). What I was trying to do (this is in FreeBSD 4.x btw) is when I do a "more /dev/ttyp1" (just use the next available ttyp after you), type anything "ls -a", then telnet into that machine. Once you telnet in, FreeBSD seems to use the first available tty (in this case ttyp1), it opens it, disconnects the person trying to connect and on ttyp0 (or whatever your original tty was when you did the "more") it will run the command you typed (ls -a).
Hmmm... You do this? $ more /dev/ttyp1 ls -a So, uh, what's the point/exploit? That's pretty much the same as, $ sleep 60 ls -a Provided you can type the 'ls -a' in a minute. The 'ls -a' is just waiting for the 'more' to finish before running. Or more accurately, your input is being buffered until the 'more' is done running. But I don't see anything special about using /dev/ttyp1.
Since ttyp* are all owned by root/wheel I was trying to see if there was a way to pull off getting a command to run as root (in my case I was always just trying "more /etc/master.passwd"). I was able to create a link (hard link though) in the /tmp directory for it, but that doesn't do anything neat except I can edit that file and it will also deny that terminal (the pain is that the file in the tmp directory "bla" is also root/wheel so I as a normal user can't delete it (and I'm just commenting.. I just go in as root and kill it since its my box but I'm trying to do these tricks w/o any privaledges)).
As you noticed, creating a hardlink gives you nothing. And what does making the hardlink have to do with /dev/ttyp1? You can just, $ cd /tmp $ ln /etc/master.passwd . And do who what you say, right? This is normal behavior.
A symbolic link only creates me bla2->/dev/ttyp1 which again, acts like editting ttyp1 but again I can't (also don't really know how) if I could just write a script to do a command THEN ln /dev/ttyp1 /tmp/bla2 but that doesn't work for me so I can't try a symbolic link attack (as far as I understand how it works).
Again, where are you going here? What is the security hole you are trying to exploit? Anyone can create a symbolic link pointing to anything they'd like provided they can write the parent directory.
I'm obviously not a skilled hacker, just a person that has the interest at this stage so I can only screw around. I figure you all probably know if theres any potential here. Any ideas? Also, one last thing.. as user "guest" (group guest) whenever I create a file its getting created as group "wheel".. should that be happenning? (it does it even when I logged out and back in)
This is probably the expected behavior. In BSD-type OSes, a new file is created with the group of its parent directory. Is that the group of the directory you are in? -- Crist J. Clark Network Security Engineer crist.clark () globalstar com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926
Current thread:
- Re: Securax Advisory 13 (from bugtraq) John Herron (Jan 05)
- Re: Securax Advisory 13 (from bugtraq) Crist Clark (Jan 05)
- <Possible follow-ups>
- Re: Securax Advisory 13 (from bugtraq) John Herron (Jan 05)