SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (UNIX)  >   Pt_chmod Vendors:   Sun
Sun Solaris pt_chmod Access Control Vulnerability Lets Local Users Obtain Write Access to Another User's TTY
SecurityTracker Alert ID:  1002732
SecurityTracker URL:  http://securitytracker.com/id/1002732
CVE Reference:   CVE-2001-1555   (Links to External Site)
Updated:  Jun 3 2008
Original Entry Date:  Nov 13 2001
Impact:   Modification of user information
Fix Available:  Yes  

Description:   The Dublin City University Networking Society (RedBrick) reported a vulnerability in pt_chmod. The utility does not recognize access control lists and allows local users to obtain write access on relinquished ttys as they are allocated to other users.

It is reported that a local user can obtain full write access on all tty's previously allocated to another user when they are reallocated. A local user can ammend the access control list (ACL) on a tty that they own such that when the tty is later allocated to another user, the original user retains write access. This allows a local user to send bogus output to another user's tty.

It is reported that read/execute permissions are not retained.

The author of the report notes that this issue has been previously discussed on the comp.unix.solaris and comp.unix.security newsgroups.

The vendor has reportedly been notified.

Impact:   A local user can obtain write access to another user's tty.
Solution:   No vendor solution was available at the time of this entry.

The author of the report provides the following recommendations:

"adding " setfacl -s user::6,group::2,mask:2,other:0 `tty` "
to shell profile startup scripts as a temporary solution.
Be aware that this solution has an inherent race condition
allowing your tty to be written to in the short time between
tty allocation and your shell processing the startup file.
It is also common for setups to allow the non-processing of such
startup files. For our own purposes we have patched the pt_chmod
source, however we believe that distribution of the (or at least
a contextual ) patch violates the license. The neccessary
ammendments which need to be made to pt_chmod.c are:

include the sys/acl.h header

declare in main() :
aclent_t aclbuf[4]={
{ USER_OBJ , 0, 6 },
{ GROUP_OBJ , 0, 2 },
{ OTHER_OBJ , 0, 0 },
{ CLASS_OBJ , 0, 2 }
};

implement towards end of main() :

if(acl(ptsname(fd),SETACL,4,aclbuf))
exit(-1);

ps. if you mess up installation of pt_chmod you can render your
machine unusable, you have been warned."

Vendor URL:  www.sun.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  UNIX (Solaris - SunOS)
Underlying OS Comments:  Solaris 8 (x86 and Sparc)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Vendor Issues Fix) Re: Sun Solaris pt_chmod Access Control Vulnerability Lets Local Users Obtain Write Access to Another User's TTY
The vendor has issued a fix.



 Source Message Contents

Subject:  pt_chmod vulnerability



	 		RedBrick Security Advisory
		-------------------------------------------
		 Dublin City University Networking Society

Vulnerable systems:
	Solaris 8 (x86 and Sparc)
	Other versions of Solaris do not appear succeptable

Summary:
	pt_chmod is not acl aware

	full write access is attainable on all tty's
	previously allocated to a user when reallocated at
	a later stage. If no limit is in place on the number
	of login sessions a user may have it is trivial to
	ffect a large number of ttys. 

	Read/execute permissions do not appear to be attainable 
	because of the ACL mask value. Abusers may then falsify 
	any output on another users tty.

	By ammending the acl  on a tty whilst the owner of the tty
	a user can arrange it such that they maintain write access on 
	that tty after subsueqent reallocations to seperate user 
	accounts, including priveledged accounts. The acl appears 
	to maintain state across tty allocations.

Proof of concept:

colmmacc@PleaseNameMe (~) $ uname -a
SunOS PleaseNameMe 5.8 Generic_108528-05 sun4u sparc SUNW,Ultra-4 
colmmacc@PleaseNameMe (~) $ tty
/dev/pts/1
colmmacc@PleaseNameMe (~) $ getfacl /dev/pts/1

# file: /dev/pts/1
# owner: colmmacc
# group: tty
user::rw-
group::-w-              #effective:-w-
mask:-w-
other:---
colmmacc@PleaseNameMe (~) $ setfacl -m user:colmmacc:2 /dev/pts/1
colmmacc@PleaseNameMe (~) $ logout

<login as "test">

$ tty
/dev/pts/1
$ getfacl /dev/pts/1

# file: /dev/pts/1
# owner: test
# group: tty
user::rw-
user:colmmacc:-w-               #effective:-w-
group::-w-              #effective:-w-
mask:-w-
other:---

Impact:
	do not underestimate the impact of having a writable by others 
	tty. Consider how hard it would be to prevent a local attack
	whilst your screen was continually refreshing, or how easy it
	would be for another to fake the output of tail on logfiles,
	other program output, and write messages to you. Indeed it would 
	greatly assist in a social engineering attack as well as prove a 
	major annoyance. Any solaris shell servers should consider this
	a major problem, it could also be veiwed as an unwanted help to
	persons attempting priveledge escalation. In short, however small
	an advantage it is, it's a bad idea.

Suggested Action:
	adding  " setfacl -s user::6,group::2,mask:2,other:0 `tty` "
	to shell profile startup scripts as a temporary solution.
	Be aware that this solution has an inherent race condition
	allowing your tty to be written to in the short time between
	tty allocation and your shell processing the startup file.
	It is also common for setups to allow the non-processing of such
	startup files. For our own purposes we have patched the pt_chmod
	source, however we believe that distribution of the (or at least
	a contextual ) patch violates the license. The neccessary 
	ammendments which need to be made to pt_chmod.c are:

	include the sys/acl.h header

	declare in main() :
	aclent_t aclbuf[4]={
                                { USER_OBJ  , 0, 6 },
                                { GROUP_OBJ , 0, 2 },
                                { OTHER_OBJ , 0, 0 },
                                { CLASS_OBJ , 0, 2 }
                           };

	implement towards end of main() :

	if(acl(ptsname(fd),SETACL,4,aclbuf))
                exit(-1);

	ps. if you mess up installation of pt_chmod you can render your
	    machine unusable, you have been warned.
	
Vendor Notification:
	The vendor was notified (by us) of the issue on August 6th 2001.
	And previous to that as early as December 2000.

History:	
	This is a known issue, by both the general solaris community
	,through comp.unix.solaris and comp.unix.security, and by SUN
	(SUN bug id 4394893).

	However we could find no recommended way to deal with it
	and after we independently discovered the bug, we reported it
	to SUN, and got an offer of T-patches down the line. For whatever 
	reason (probably genuine prioritisation) it isnt considered 
	too highly on the agenda. In all probability because of the general 
	services-based usage pattern of Solaris.

	We are releasing this advisory as we have an effective method of
dealing 
	with the problem, we have been using it for some 6 weeks now on a large 
	multi-user shell system with no ill-effects. We also consider it
important
	that people not familiar with the problem be made aware of it.

	We realise that using solaris as a shell server is atypical, but it 
	is common enough to merit greater concern. We have come across active
	instances of abuse of this bug.

Credits:
	comp.unix.solaris,comp.unix.security:
	
	Roland Mainz (discovery) David Robinson (SUN bug id)

	redbrick.dcu.ie:

	colmmacc (discovery and fixes) , doc (chief hypothesiser)

Author:
	Colm MacCarthaigh <colmmacc _At_ redbrick.dcu.ie>
	
	8/11/2001


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC