linux security - Jun 1999 - RedHat 6.0, /dev/pts permissions bug when using xterm (fwd)

[Mod: forwarded from BUGTRAQ -- alex]

---------- Forwarded message ----------
Date: Sun, 6 Jun 1999 19:15:05 +0000
From: noc-wage <wage@IDIRECT.CA>
To: BUGTRAQ@NETSPACE.ORG
Subject: RedHat 6.0, /dev/pts permissions bug when using xterm

Once again I''ve come up with another trivial Denial of Service flaw,
(wow,
I seem to be good at this Conseal Firewall, +++ath0, ppp byte-stuffing)

It''s been a few months since my last DoS, so here you go:

Many of you RedHat 6.0 users who installed RedHat 6.0 rather than
upgrading may have noticed the new way RedHat displays remote TTY''s.
Instead of the old fashioned /dev/ttyp<number>, it now uses
/dev/pts/<number>.  There is a flaw in this new implementation that
local
users can exploit to cause minor disruption to anyone using X-windows on
the local machine.
This DoS is more of a nuisance than a "real problem" but it could
possibly
be used to cause some minor havok.

The way it works is simple.  When whoever is using X opens up an
"xterm"
(eterm, rxvt, nxterm...) a connection is made to the X server.
If you do a "who" you will see:

(RedHat 6.0, without upgrading from previous RedHat release)
wage     pts/0    Jun  6 01:39 (:0.0)

Or on older versions:
wage     ttyp0    Jun  6 01:39 (:0.0)

Now this is normal, but the problem lies within the permissions of that
device.

On older RedHat''s if you did:
ls -l /dev/ttyp3 you would see:
crw-------   1 wage     tty        3,   0 Jun  6 12:41 /dev/ttyp0
Which is normal and what it should look like.
For those of you who may be new to unix those letters at the beginning
of
the line indicate the permissions on the device.
For our output above, the line indicates it is a device (c), and that
the
OWNER has read and write permissions (rw)
Group has no permissions (---), and everyone has no permissions (---)
They basically go <type
indicator><owner><group><everyone>
An example line of a device will ALL permissions set follows:
               crwxrwxrwx
                /   |   \
           Owner  Group  Everyone
This means that everyone has read/write/execute permissions to that
device.
So as you can see our ttyp0 can only be read or written to by it''s
owner
(and root).

In the case of RedHat 6.0 with regular remote connections (like telnet)
the standard permissions are as follows:

crw--w----   1 ov3r     tty     136,   0 Jun  6 12:32 /dev/pts/0

Here it''s almost the same except that group "tty" also has
write access.


The problem lies in the way that the permissions are set for local
connections with the X server using xterm.
if you do an ls -l /dev/pts/<the xterm''s tty> (we will use pts/0)
You get:
crw--w--w-   1 ov3r     ov3r     136,   0 Jun  6 12:32 /dev/pts/0

Notice how now "everyone" has write access to this terminal?
This leads to the hole that any local user can disrupt any xterminal
connected to the local machine.  Simply typing "cat /dev/urandom >
/dev/pts/<number>" will flood the xterm with garbage data making it
impossible to use.  Or we can also bring back the old "flash" attack
and
flash the user''s xterm by dumping ASCII escape characters to his
terminal.

This isn''t a particularily "deadly" DoS attack, but can be
used as a
nuisance OR perhaps even to trick the user into doing something he may
not want to do.  (For example dumping "Login:"  then
"Password:" to the
terminal may trick the user into adding his login/password to a file or
to
his .bash_history).


--
Max Schau (noc-wage) <wage@idirect.ca>/<nocwage@globalserve.net>
KeyID 1024/0F699BD3
"The only secure computer is one that''s unplugged, locked in a
safe, and buried 20 feet under the ground in a secret location...
and i''m not even too sure about that one"--Dennis Huges, FBI

On Mon, 7 Jun 1999 alex@yuriev.com wrote:
>
> The problem lies in the way that the permissions are set for local
> connections with the X server using xterm.
> if you do an ls -l /dev/pts/<the xterm''s tty> (we will use
pts/0)
> You get:
> crw--w--w-   1 ov3r     ov3r     136,   0 Jun  6 12:32 /dev/pts/0
>
> Notice how now "everyone" has write access to this terminal?
> This leads to the hole that any local user can disrupt any xterminal
> connected to the local machine.  Simply typing "cat /dev/urandom >
I''ve also got RedHat 6.0, but the `bug'' never occurs. When a
local X users uses an XTerm, his terminal device''s name is
as expected /dev/pts/<..>.
However, the permissions of the device are crw--w----. Everyone hasn''t
write access to the tty. So I don''t think this bug can be in all RH6.0
distributions.


Cheers..
T. S. Kristoffersen <torbkris@online.no>

On Mon, 7 Jun 1999, Torbjorn Kristoffersen wrote:

| On Mon, 7 Jun 1999 alex@yuriev.com wrote:
|
| >
| > The problem lies in the way that the permissions are set for local
| > connections with the X server using xterm.
| > if you do an ls -l /dev/pts/<the xterm''s tty> (we will use
pts/0)
| > You get:
| > crw--w--w-   1 ov3r     ov3r     136,   0 Jun  6 12:32 /dev/pts/0
| >
| > Notice how now "everyone" has write access to this terminal?
| > This leads to the hole that any local user can disrupt any xterminal
| > connected to the local machine.  Simply typing "cat /dev/urandom
>
|
| I''ve also got RedHat 6.0, but the `bug'' never occurs. When a
| local X users uses an XTerm, his terminal device''s name is
| as expected /dev/pts/<..>.
| However, the permissions of the device are crw--w----. Everyone
hasn''t
| write access to the tty. So I don''t think this bug can be in all
RH6.0
| distributions.

When I upgraded to 6.0, it changed my fstab to add the line for /dev/pts
with the parameter ''mode=0622'', and this seemed to be the root
of the
problem.  I changed it to ''mode=0620'', and also added a
''gid=5'' (the GID
of the tty group), and it behaves how I want it, with tty group write.
(Without the gid, on my system, it ended up being the users group, which
might as well be world-write)

                      Kevin Kane <frnkzk@Glue.umd.edu>

[mod: Ok, that''s it for this problem guys, we now know the problem and
the fix. -- REW]