Re: [linux-security] Yet Another DIP Exploit?

Uri Blumenthal (uri@watson.ibm.com)
Thu, 01 May 1997 14:46:54 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Bill Trost: "Re: Buffer Overflows: A Summary"
Previous message: John Sheehy: "Re: Digital UNIX/Irix mesg problem"

George Staikos says:
> I seem to have stumbled across another vulnerability in DIP. It
> appears to allow any user to gain control of arbitrary devices in /dev.
> For instance, I have successfully stolen keystrokes from a root login as
> follows... (I could also dump characters to the root console)

Well, of course. This will be true for as long as the tty devices
are not rw by "other".

> DIP> port tty1
> DIP> echo on
> DIP> term
>
> I'm sure there are many more creative things to do with this, but this is
> the first thing that came to mind when I discovered it, and is a good
> example of what can be done. Not all devices are accessible. I have not
> looked into the patch at this time, but I recommend chmod u-s dip, as
> usual! :)

If you do "u-s", you break dip for every non-root user. There is no
patch I can think of. It is assumed that whoever is allowed to dip
outside, is trusted enough and "dip" is not executable by "other".

Feel free to post or e-mail a constructive recommendation/patch.

--
Regards,
Uri             uri@watson.ibm.com
-=-=-=-=-=-=-
<Disclaimer>

Next message: Bill Trost: "Re: Buffer Overflows: A Summary"
Previous message: John Sheehy: "Re: Digital UNIX/Irix mesg problem"