Bugtraq mailing list archives
Re: [linux-security] Yet Another DIP Exploit?
From: uri () watson ibm com (Uri Blumenthal)
Date: Thu, 1 May 1997 14:46:54 -0400
George Staikos says:
I seem to have stumbled across another vulnerability in DIP. It appears to allow any user to gain control of arbitrary devices in /dev. For instance, I have successfully stolen keystrokes from a root login as follows... (I could also dump characters to the root console)
Well, of course. This will be true for as long as the tty devices are not rw by "other".
DIP> port tty1 DIP> echo on DIP> term I'm sure there are many more creative things to do with this, but this is the first thing that came to mind when I discovered it, and is a good example of what can be done. Not all devices are accessible. I have not looked into the patch at this time, but I recommend chmod u-s dip, as usual! :)
If you do "u-s", you break dip for every non-root user. There is no patch I can think of. It is assumed that whoever is allowed to dip outside, is trusted enough and "dip" is not executable by "other". Feel free to post or e-mail a constructive recommendation/patch. -- Regards, Uri uri () watson ibm com -=-=-=-=-=-=- <Disclaimer>
Current thread:
- Re: [linux-security] Yet Another DIP Exploit? Uri Blumenthal (May 01)