Re: Securax Advisory 13 (from bugtraq)

[John Herron <john.herron () RRC STATE TX US>]

Ok, I was a little upset to see this posted since I was working on this a while back (few months ago) but wanted to get 
an actual result rather than a DoS so I never considerred posting it, but as we've seen a few people wrote scripts 
before  that too so I can't complain.  Ya snooze ya lose.

What I wanted to mention is instead of just a DoS (which IS theoretically doable, if you can keep each ttyp* in use or 
if you can continuously send a character to each one and then repeat (although it'd have to be fast to truly keep 
anyone off the system)).  What I was trying to do (this is in FreeBSD 4.x btw) is when I do a "more /dev/ttyp1" (just 
use the next available ttyp after you), type anything "ls -a", then telnet into that machine.  Once you telnet in, 
FreeBSD seems to use the first available tty (in this case ttyp1), it opens it, disconnects the person trying to 
connect and on ttyp0 (or whatever your original tty was when you did the "more") it will run the command you typed (ls 
-a).

Since ttyp* are all owned by root/wheel I was trying to see if there was a way to pull off getting a command to run as 
root (in my case I was always just trying "more /etc/master.passwd").  I was able to create a link (hard link though) 
in the /tmp directory for it, but that doesn't do anything neat except I can edit that file and it will also deny that 
terminal (the pain is that the file in the tmp directory "bla" is also root/wheel so I as a normal user can't delete it 
(and I'm just commenting.. I just go in as root and kill it since its my box but I'm trying to do these tricks w/o any 
privaledges)).  A symbolic link only creates me bla2->/dev/ttyp1 which again, acts like editting ttyp1 but again I 
can't (also don't really know how) if I could just write a script to do a command THEN ln /dev/ttyp1 /tmp/bla2 but that 
doesn't work for me so I can't try a symbolic link attack (as far as I understand how it works).

I'm obviously not a skilled hacker, just a person that has the interest at this stage so I can only screw around.  I 
figure you all probably know if theres any potential here.  Any ideas?  Also, one last thing.. as user "guest" (group 
guest) whenever I create a file its getting created as group "wheel".. should that be happenning? (it does it even when 
I logged out and back in)