Vulnerability Development mailing list archives
Re: Securax Advisory 13 (from bugtraq)
From: John Herron <john.herron () RRC STATE TX US>
Date: Fri, 5 Jan 2001 09:11:45 -0600
Ok, I was a little upset to see this posted since I was working on this a while back (few months ago) but wanted to get an actual result rather than a DoS so I never considerred posting it, but as we've seen a few people wrote scripts before that too so I can't complain. Ya snooze ya lose. What I wanted to mention is instead of just a DoS (which IS theoretically doable, if you can keep each ttyp* in use or if you can continuously send a character to each one and then repeat (although it'd have to be fast to truly keep anyone off the system)). What I was trying to do (this is in FreeBSD 4.x btw) is when I do a "more /dev/ttyp1" (just use the next available ttyp after you), type anything "ls -a", then telnet into that machine. Once you telnet in, FreeBSD seems to use the first available tty (in this case ttyp1), it opens it, disconnects the person trying to connect and on ttyp0 (or whatever your original tty was when you did the "more") it will run the command you typed (ls -a). Since ttyp* are all owned by root/wheel I was trying to see if there was a way to pull off getting a command to run as root (in my case I was always just trying "more /etc/master.passwd"). I was able to create a link (hard link though) in the /tmp directory for it, but that doesn't do anything neat except I can edit that file and it will also deny that terminal (the pain is that the file in the tmp directory "bla" is also root/wheel so I as a normal user can't delete it (and I'm just commenting.. I just go in as root and kill it since its my box but I'm trying to do these tricks w/o any privaledges)). A symbolic link only creates me bla2->/dev/ttyp1 which again, acts like editting ttyp1 but again I can't (also don't really know how) if I could just write a script to do a command THEN ln /dev/ttyp1 /tmp/bla2 but that doesn't work for me so I can't try a symbolic link attack (as far as I understand how it works). I'm obviously not a skilled hacker, just a person that has the interest at this stage so I can only screw around. I figure you all probably know if theres any potential here. Any ideas? Also, one last thing.. as user "guest" (group guest) whenever I create a file its getting created as group "wheel".. should that be happenning? (it does it even when I logged out and back in)
Current thread:
- Re: Securax Advisory 13 (from bugtraq) John Herron (Jan 05)
- Re: Securax Advisory 13 (from bugtraq) Crist Clark (Jan 05)
- <Possible follow-ups>
- Re: Securax Advisory 13 (from bugtraq) John Herron (Jan 05)