[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: makedev: /dev/tty([0-9])* should not have 666 permissions



Hi, Phillip!

Thank for a storm-swift reply 8-)

It seems like they should be 660, not 600, as I suggested (wall(1) and
talkd(1) would break otherwise, probably).

On Mon, Apr 19, 2004 at 05:26:25PM -0400, Phillip Hofmeister wrote:
> yes, the others are 666.  Does it matter?  Are they used or just
> pointless character devices?

Yes, thanks to the escape sequences they are a backdoor to the system;
(don't) try the sploit below, it would keep changing the terminal to
/dev/tty63 so fast, you won't be able to switch back or kill the
offender, not even as a root.  The only remedy would be to connect to
the comp from another terminal (serial, ssh, ...).  On many systems, the
only remedy would be to reboot.  

Although this is of course possible to do locally, the 666 permissions
allow doing this *remotely*; even with a guest account, for example.  Or
in a at(1) entry, or crontab. 

I'd getting more and more convinced this should be tagged critical.

> On Mon, 19 Apr 2004 at 05:07:13PM -0400, Jan Minar wrote:
> > > > > % ssh kh
> > > > > jan@kh's password:
> > > > > Linux kontryhel 2.4.26-jan #3 SMP Mon Apr 19 05:00:00 CEST 2004 i686 unknown
> > > > > % echo 'Morning, Mister root, welcome to a jail 8-)' > /dev/tty63
> > > > > % while :; do echo -e '\033[12;63]' > /dev/tty63; done

The last line is important.

-- 
   "To me, clowns aren't funny. In fact, they're kind of scary. I've wondered
 where this started and I think it goes back to the time I went to the circus,
			  and a clown killed my dad."

Attachment: pgpoT79zgqKDX.pgp
Description: PGP signature


Reply to: