Expect password spy vulnerability

Summary
Description:Expect is frequently used to automate login sessions, and it is possible to spy on the information transferred through it (often passwords).
Author:Austin Schutz <tex@COLLEGENET.COM>
Compromise:Gather authentication information passwd by expect.
Vulnerable Systems:Those running expect 5.14, probably older and newer versions too.
Date:22 July 1997
Details


Date: Tue, 22 Jul 1997 22:08:36 -0700
From: Austin Schutz <tex@COLLEGENET.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: Expect security vulnerability (fwd)

        I checked various FAQs and archives relating to both
Expect and security and haven't seen any previous mention of this.
        The version of Expect I am using is 5.14 but I would be very
surprised if this didn't apply to all versions of Expect.

        Expect is used frequently to automate login sessions on remote
machines. This is done via a pseudo tty opened bidirectionally to allow
interaction with programs either suited to or needing terminal behavior.
This pseudo tty is (under Linux and Solaris at least) owned by root and
mode 666. It is possible to obtain a password passed to the login process
by reading from the slave end of the tty.

        Example:

expect1.1> spawn ssh somewhere.com
spawn ssh somewhere.com
22239
expect1.2>


Now on another window as a different user:

$ ps -u tex | grep ssh
 22239 ttyp1    0:00 ssh
$ cat < /dev/ttyp1


Now back at the original window:

expect1.2> expect ":"
tex's password: expect1.3> send "Hrd2Cr@k\r"

At which point the username shows up on the second window. Normally this
would be automated and someone trying to exploit this would have to make a
decent educated guess as to when to read from the tty.

        The reason this occurs is because Expect never makes the handle
inaccessible to other processes. AFAIK there are only two ways to do this:
change the ownership/permissions of the tty or lock it.
        The former seems to be possible to do on some platforms. Solaris
includes a grantpt() C function which changes the ownership (temporarily?)
of the tty pair. This function is probably used normally by login to
change permissions on a tty for use by users. The methods for
accomplishing this seem to be completely different from Unix to Unix.
        The other method would be to lock the tty before spawning the
process. As I discovered while working on a Perl port of Expect, there are
some programs that get very angry if you keep them from accessing
/dev/tty. If you know the program you're spawning doesn't require the use
of /dev/tty then maybe it's possible to lock it on a case by case basis.
I'm not sure.

        Tex

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]