Re: [linux-security] Yet Another DIP Exploit?

[uri () watson ibm com (Uri Blumenthal)]

George Staikos says:
> I seem to have stumbled across another vulnerability in DIP.  It
> appears to allow any user to gain control of arbitrary devices in /dev.
> For instance, I have successfully stolen keystrokes from a root login as
> follows...  (I could also dump characters to the root console)

Well, of course. This will be true for as long as the tty devices
are not rw by "other".

> DIP> port tty1
> DIP> echo on
> DIP> term
>
> I'm sure there are many more creative things to do with this, but this is
> the first thing that came to mind when I discovered it, and is a good
> example of what can be done.  Not all devices are accessible.  I have not
> looked into the patch at this time, but I recommend chmod u-s dip, as
> usual! :)

If you do "u-s", you break dip for every non-root user. There is no
patch I can think of. It is assumed that whoever is allowed to dip
outside, is trusted enough and "dip" is not executable by "other".

Feel free to post or e-mail a constructive recommendation/patch.
--
Regards,
Uri             uri () watson ibm com
-=-=-=-=-=-=-
<Disclaimer>