redhat.6.0.pts.permissions.txt

`Date: Sun, 6 Jun 1999 19:15:05 +0000  
From: noc-wage <[email protected]>  
To: [email protected]  
Subject: RedHat 6.0, /dev/pts permissions bug when using xterm  
  
Once again I've come up with another trivial Denial of Service flaw,  
(wow, I seem to be good at this Conseal Firewall, +++ath0, ppp byte-stuffing)  
  
It's been a few months since my last DoS, so here you go:  
  
Many of you RedHat 6.0 users who installed RedHat 6.0 rather than  
upgrading may have noticed the new way RedHat displays remote TTY's.  
Instead of the old fashioned /dev/ttyp<number>, it now uses  
/dev/pts/<number>. There is a flaw in this new implementation that local  
users can exploit to cause minor disruption to anyone using X-windows on  
the local machine.  
This DoS is more of a nuisance than a "real problem" but it could possibly  
be used to cause some minor havok.  
  
The way it works is simple. When whoever is using X opens up an "xterm"  
(eterm, rxvt, nxterm...) a connection is made to the X server.  
If you do a "who" you will see:  
  
(RedHat 6.0, without upgrading from previous RedHat release)  
wage pts/0 Jun 6 01:39 (:0.0)  
  
Or on older versions:  
wage ttyp0 Jun 6 01:39 (:0.0)  
  
Now this is normal, but the problem lies within the permissions of that  
device.  
  
On older RedHat's if you did:  
ls -l /dev/ttyp3 you would see:  
crw------- 1 wage tty 3, 0 Jun 6 12:41 /dev/ttyp0  
Which is normal and what it should look like.  
For those of you who may be new to unix those letters at the beginning of  
the line indicate the permissions on the device.  
For our output above, the line indicates it is a device (c), and that the  
OWNER has read and write permissions (rw)  
Group has no permissions (---), and everyone has no permissions (---)  
They basically go <type indicator><owner><group><everyone>  
An example line of a device will ALL permissions set follows:  
crwxrwxrwx  
/ | \  
Owner Group Everyone  
This means that everyone has read/write/execute permissions to that device.  
So as you can see our ttyp0 can only be read or written to by it's owner  
(and root).  
  
In the case of RedHat 6.0 with regular remote connections (like telnet)  
the standard permissions are as follows:  
  
crw--w---- 1 ov3r tty 136, 0 Jun 6 12:32 /dev/pts/0  
  
Here it's almost the same except that group "tty" also has write access.  
  
  
The problem lies in the way that the permissions are set for local  
connections with the X server using xterm.  
if you do an ls -l /dev/pts/<the xterm's tty> (we will use pts/0)  
You get:  
crw--w--w- 1 ov3r ov3r 136, 0 Jun 6 12:32 /dev/pts/0  
  
Notice how now "everyone" has write access to this terminal?  
This leads to the hole that any local user can disrupt any xterminal  
connected to the local machine. Simply typing "cat /dev/urandom >  
/dev/pts/<number>" will flood the xterm with garbage data making it  
impossible to use. Or we can also bring back the old "flash" attack and  
flash the user's xterm by dumping ASCII escape characters to his  
terminal.  
  
This isn't a particularily "deadly" DoS attack, but can be used as a  
nuisance OR perhaps even to trick the user into doing something he may  
not want to do. (For example dumping "Login:" then "Password:" to the  
terminal may trick the user into adding his login/password to a file or to  
his .bash_history).  
  
  
--  
Max Schau (noc-wage) <[email protected]>/<[email protected]>  
KeyID 1024/0F699BD3  
"The only secure computer is one that's unplugged, locked in a  
safe, and buried 20 feet under the ground in a secret location...  
and i'm not even too sure about that one"--Dennis Huges, FBI  
  
-------------------------------------------------------------------------------------  
  
Date: Mon, 7 Jun 1999 12:52:51 -0500  
From: Michael Jennings <[email protected]>  
To: [email protected]  
Subject: Re: RedHat 6.0, /dev/pts permissions bug when using xterm  
  
On Sunday, 06 June 1999, at 19:15:05 (+0000),  
noc-wage wrote:  
  
> In the case of RedHat 6.0 with regular remote connections (like telnet)  
> the standard permissions are as follows:  
>  
> crw--w---- 1 ov3r tty 136, 0 Jun 6 12:32 /dev/pts/0  
>  
> Here it's almost the same except that group "tty" also has write access.  
>  
>  
> The problem lies in the way that the permissions are set for local  
> connections with the X server using xterm.  
> if you do an ls -l /dev/pts/<the xterm's tty> (we will use pts/0)  
> You get:  
> crw--w--w- 1 ov3r ov3r 136, 0 Jun 6 12:32 /dev/pts/0  
>  
> Notice how now "everyone" has write access to this terminal?  
  
If compiled with USE_TTY_GROUP defined, xterm checks for the "tty"  
group. If it exists, the permissions on the terminal device are set  
to 0620. If it does not exist, or if USE_TTY_GROUP is not defined,  
the permissions are set to 0622.  
  
You can fix this by either recompiling with USE_TTY_GROUP defined, or  
by editing main.c and changing the permissions there.  
  
Since Eterm was mentioned, I will go ahead and say this. If Eterm is  
has sufficient permissions (either by being installed setuid root or  
by being executed by the owner of the tty), it will change the  
ownership and permissions on the device to 0620. If it cannot change  
the permissions on the device, any vulnerabilities resulting therefrom  
are the responsibility of the system administrator. No current  
version of Eterm sets the permissions on any device file to 0622 under  
Linux.  
  
Michael  
  
--  
=======================================================================  
Michael Jennings <[email protected]> Co-author, Eterm (www.eterm.org)  
UNIX Administrator, 3Com Corp., Chicago, IL www.tcserv.com  
  
-------------------------------------------------------------------------------------  
  
Date: Mon, 7 Jun 1999 14:10:52 -0400  
From: [email protected]  
To: [email protected]  
Subject: Re: RedHat 6.0, /dev/pts permissions bug when using xterm  
  
> This isn't a particularily "deadly" DoS attack, but can be used as a  
> nuisance OR perhaps even to trick the user into doing something he may  
> not want to do. (For example dumping "Login:" then "Password:" to the  
> terminal may trick the user into adding his login/password to a file or  
> to  
> his .bash_history).  
  
It's deadly as they come.  
  
Man. It was way back in 1983 or so when I first saw the wonders of discarding  
your control terminal, opening a tty to make it your control terminal, and  
then start abusing the TIOCSTI ioctl(). No exploit here - this is so old  
that you should be able to find it ANYPLACE. ;)  
  
  
--  
Valdis Kletnieks  
Computer Systems Senior Engineer  
Virginia Tech  
  
-------------------------------------------------------------------------------------  
  
Date: Tue, 8 Jun 1999 02:43:35 -0400  
From: Trevor Johnson <[email protected]>  
To: [email protected]  
Subject: Re: RedHat 6.0, /dev/pts permissions bug when using xterm  
  
Hi, Max. Thank you for the warning. I observe the problem here, on two  
PCs on which I installed Red Hat 6.0 from scratch. However, it doesn't  
happen for me with xterm or nxterm, only with rxvt. I ran them all in X  
sessions that I started via xdm. I was also logged in via mingetty.  
  
[trevor@localhost trevor]$ ps uaxw|grep xterm|grep -v grep  
trevor 738 0.0 1.4 2844 1808 ? S 22:54 0:00 nxterm  
trevor 760 0.0 1.3 2812 1700 pts/0 S 23:02 0:00 xterm -rv  
-sb  
[trevor@localhost trevor]$ ps uaxw|grep rxvt|grep -v grep  
trevor 862 0.0 0.8 1932 1032 pts/0 S 23:36 0:00 rxvt  
[trevor@localhost trevor]$ who  
trevor tty1 Jun 7 21:22  
trevor tty2 Jun 7 21:36  
trevor tty3 Jun 7 21:49  
trevor tty4 Jun 7 22:03  
trevor tty5 Jun 7 22:06  
trevor tty6 Jun 7 22:08  
trevor :0 Jun 7 21:21  
[trevor@localhost trevor]$ ls -l /dev/pts  
total 0  
crw--w---- 1 trevor trevor 136, 0 Jun 7 23:36 0  
crw--w---- 1 trevor trevor 136, 1 Jun 7 23:29 1  
crw--w--w- 1 trevor trevor 136, 2 Jun 7 23:36 2  
[trevor@localhost trevor]$ grep tty /etc/group  
tty::5:  
[trevor@localhost trevor]$ rpm -qf `which xterm` `which nxterm`  
XFree86-3.3.3.1-49  
XFree86-3.3.3.1-49  
[trevor@localhost trevor]$ rpm -qa|grep rxvt  
rxvt-2.6.PRE2-5  
[trevor@localhost trevor]$ cat /proc/version  
Linux version 2.2.5-15 ([email protected]) (gcc version  
egcs-2.91.66 19990314/Linux (egcs-1.1.2 release)) #1 Mon Apr 19 23:00:46  
EDT 1999  
[trevor@localhost trevor]$ ls -l `which rxvt` `which xterm` `which nxterm`  
-rwxr-xr-x 2 root root 159080 Apr 18 16:33  
/usr/X11R6/bin/nxterm  
-rwxr-xr-x 1 root root 77920 Mar 26 12:53 /usr/X11R6/bin/rxvt  
-rwxr-xr-x 2 root root 159080 Apr 18 16:33  
/usr/X11R6/bin/xterm  
[trevor@localhost trevor]$ rpm -qa|grep ^glibc  
glibc-devel-2.1.1-6  
glibc-2.1.1-6  
  
When I killed the rxvt, the mode 622 pty went away. When I ran rxvt  
twice, there were two such bad ptys.  
  
> Many of you RedHat 6.0 users who installed RedHat 6.0 rather than  
> upgrading may have noticed the new way RedHat displays remote TTY's.  
> Instead of the old fashioned /dev/ttyp<number>, it now uses  
> /dev/pts/<number>. There is a flaw in this new implementation that  
> local  
> users can exploit to cause minor disruption to anyone using X-windows on  
> the local machine.  
> This DoS is more of a nuisance than a "real problem" but it could  
> possibly  
> be used to cause some minor havok.  
>  
> The way it works is simple. When whoever is using X opens up an "xterm"  
> (eterm, rxvt, nxterm...) a connection is made to the X server.  
> If you do a "who" you will see:  
>  
> (RedHat 6.0, without upgrading from previous RedHat release)  
> wage pts/0 Jun 6 01:39 (:0.0)  
>  
> Or on older versions:  
> wage ttyp0 Jun 6 01:39 (:0.0)  
>  
> Now this is normal, but the problem lies within the permissions of that  
> device.  
>  
> On older RedHat's if you did:  
> ls -l /dev/ttyp3 you would see:  
> crw------- 1 wage tty 3, 0 Jun 6 12:41 /dev/ttyp0  
> Which is normal and what it should look like.  
[...]  
> This means that everyone has read/write/execute permissions to that  
> device.  
> So as you can see our ttyp0 can only be read or written to by it's owner  
> (and root).  
>  
> In the case of RedHat 6.0 with regular remote connections (like telnet)  
> the standard permissions are as follows:  
>  
> crw--w---- 1 ov3r tty 136, 0 Jun 6 12:32 /dev/pts/0  
>  
> Here it's almost the same except that group "tty" also has write access.  
>  
>  
> The problem lies in the way that the permissions are set for local  
> connections with the X server using xterm.  
> if you do an ls -l /dev/pts/<the xterm's tty> (we will use pts/0)  
> You get:  
> crw--w--w- 1 ov3r ov3r 136, 0 Jun 6 12:32 /dev/pts/0  
>  
> Notice how now "everyone" has write access to this terminal?  
> This leads to the hole that any local user can disrupt any xterminal  
> connected to the local machine. Simply typing "cat /dev/urandom >  
> /dev/pts/<number>" will flood the xterm with garbage data making it  
> impossible to use. Or we can also bring back the old "flash" attack and  
> flash the user's xterm by dumping ASCII escape characters to his  
> terminal.  
>  
> This isn't a particularily "deadly" DoS attack, but can be used as a  
> nuisance OR perhaps even to trick the user into doing something he may  
> not want to do. (For example dumping "Login:" then "Password:" to the  
> terminal may trick the user into adding his login/password to a file or  
> to  
> his .bash_history).  
__  
Trevor Johnson  
  
-------------------------------------------------------------------------------------  
  
Date: Mon, 7 Jun 1999 14:09:28 -0400  
From: sacha faust <[email protected]>  
To: [email protected]  
Subject: Re: RedHat 6.0, /dev/pts permissions bug when using xterm  
  
you can desable it from the /etc/fstab by commenting the /dev/pts and  
redhat will use the default /dev/tty . I think Solaris use the /dev/pts and  
with proper  
permissions.  
  
-------------------------------------------------------------------------------------  
  
Date: Mon, 7 Jun 1999 16:49:01 -0700  
From: Patrick Stoddard <[email protected]>  
To: [email protected]  
Subject: Re: Red Hat 6.0, /dev/pts permissions bug when using xterm  
  
After seeing the previous message on this topic, I looked at my Red Hat 6.0  
system (with the 2.2.5-22 kernel upgrade from Red Hat), and found that his  
message is correct - when using a "gnome-terminal", as opposed to "xterm" or  
"nxterm". All 3 types of terminals use the /dev/pts/(number) with this  
version of Red Hat 6.0, but it looks like if you launch an "xterm" or  
"nxterm" the permissions for those terminal windows are set like this:  
  
crw--w---- 1 stoddard stoddard 136, 0 Jun 7 23:44 0  
  
This would appear to give only my user login and group "stoddard" (on my  
system, that group only has one user) write access to that terminal window.  
It appears that the problem is with the "gnome-terminal" program, part of  
the "gnome-core" RPM from the Red Hat 6.0 install (specifically, on my  
system, that would be gnome-core-1.0.4-34.i386.rpm), that is susceptible to  
the attacks mentioned in the previos message (and I have been able to do the  
"cat /dev/urandom > /dev/pts/(number)" and see the random stream of  
characters on that window.  
  
  
Patrick Stoddard, M.I.S. Manager  
Community Information & Referral  
1515 E. Osborn Road  
Phoenix AZ 85014-5390  
E-mail: [email protected]  
  
-------------------------------------------------------------------------------------  
  
Date: Tue, 8 Jun 1999 17:46:02 +0200  
From: S.G. <[email protected]>  
To: [email protected]  
Subject: Re: RedHat 6.0, /dev/pts permissions bug when using xterm  
  
vwry nice this problem applayes also to Midnight Commander both under X  
and text mode  
  
under kde this problem applyes to rxwt, but not to kvt, xterm and nxterm  
  
-------------------------------------------------------------------------------------  
  
Date: Tue, 8 Jun 1999 10:24:29 -0700  
From: Zack <[email protected]>  
To: [email protected]  
Subject: Re: RedHat 6.0, /dev/pts permissions bug when using xterm  
  
in /etc/fstab:  
  
none /dev/pts devpts gid=5,mode=620 0 0  
  
--  
  
  
---------------------{*}-----------------------  
The sand castle is being washed out by the sea.  
-----------------------------------------------  
  
-------------------------------------------------------------------------------------  
  
Date: Tue, 8 Jun 1999 11:23:20 -0700  
From: Brian D. Winters <[email protected]>  
To: [email protected]  
Subject: Re: RedHat 6.0, /dev/pts permissions bug when using xterm  
  
On Tue, Jun 08, 1999 at 10:24:29AM -0700, Zack wrote:  
> in /etc/fstab:  
>  
> none /dev/pts devpts gid=5,mode=620 0 0  
  
This is not sufficient when using rxvt and apparently several other  
xterm-a-likes. By default rxvt overides the gid with the user's gid  
and changes the permissions to 622, even if the permissions specified  
in fstab are more restrictive than 622. The solution with rxvt is to  
pass --enable-ttygid to the configure script.  
  
Brian  
  
-------------------------------------------------------------------------------------  
  
Date: Thu, 10 Jun 1999 08:45:54 -0500  
From: [email protected]  
To: [email protected]  
Subject: Re: [linux-security] Re: RedHat 6.0, /dev/pts permissions bug when using xterm  
  
I maintain the rxvt rpms and rxvt-2.6.0 is out, it can be found  
at ftp://ftp.falsehope.com/pub/rxvt. The author/maintainer of the  
source requested I put that configure option in back in version  
rxvt-2.6.PRE3 :)  
  
On 10 Jun, Trevor Johnson wrote:  
> Brian's fix works for me. I did up an SRPM (unsigned) with it in:  
>  
> http://linuxatlax.org/trevor/srpms/rxvt-2.6.PRE2-6.src.rpm  
>  
> Brian D. Winters <[email protected]> wrote:  
>  
>> On Tue, Jun 08, 1999 at 10:24:29AM -0700, Zack wrote:  
>> > in /etc/fstab:  
>> >  
>> > none /dev/pts devpts gid=5,mode=620 0 0  
>>  
>> This is not sufficient when using rxvt and apparently several other  
>> xterm-a-likes. By default rxvt overides the gid with the user's gid  
>> and changes the permissions to 622, even if the permissions specified  
>> in fstab are more restrictive than 622. The solution with rxvt is to  
>> pass --enable-ttygid to the configure script.  
> __  
> Trevor Johnson  
>  
> --  
> ----------------------------------------------------------------------  
> Please refer to the information about this list as well as general  
> information about Linux security at http://www.aoy.com/Linux/Security.  
> ----------------------------------------------------------------------  
>  
> To unsubscribe:  
> mail -s unsubscribe [email protected] < /dev/null  
  
--  
  
,------------------------------------.,------------------------------------.  
| Ryan Weaver || email: [email protected] |  
| Unix Systems Administrator || phone: (281) 447-7025 |  
| InfoHighway International Inc. || web : http://www.infohwy.com |  
`------------------------------------'`------------------------------------'  
  
-------------------------------------------------------------------------------------  
  
Date: Fri, 11 Jun 1999 11:29:42 -0600  
From: Scott Wunsch <[email protected]>  
To: [email protected]  
Subject: Re: RedHat 6.0, /dev/pts permissions bug when using xterm  
  
> This is not sufficient when using rxvt and apparently several other  
> xterm-a-likes. By default rxvt overides the gid with the user's gid  
> and changes the permissions to 622, even if the permissions specified  
> in fstab are more restrictive than 622. The solution with rxvt is to  
> pass --enable-ttygid to the configure script.  
  
I've been playing with this, and --enable-ttygid isn't enough either. It looks  
like rxvt has to bee suid root in order to set the gid on the tty. Mortals  
can't do it:  
  
[scott@pytheas] ~$ chgrp tty /dev/pts/1  
chgrp: you are not a member of group `tty': Operation not permitted  
  
  
So which one is the bigger security risk? Suid root xterms or world-writable  
pseudottys?  
  
--  
Take care,  
Scott \\'unsch  
  
-------------------------------------------------------------------------------------  
  
Date: Mon, 14 Jun 1999 10:46:08 -0700  
From: Brian D. Winters <[email protected]>  
To: [email protected]  
Subject: Re: RedHat 6.0, /dev/pts permissions bug when using xterm  
  
On Fri, Jun 11, 1999 at 11:29:42AM -0600, Scott Wunsch wrote:  
> > This is not sufficient when using rxvt and apparently several other  
> > xterm-a-likes. By default rxvt overides the gid with the user's gid  
> > and changes the permissions to 622, even if the permissions specified  
> > in fstab are more restrictive than 622. The solution with rxvt is to  
> > pass --enable-ttygid to the configure script.  
>  
> I've been playing with this, and --enable-ttygid isn't enough either. It looks  
> like rxvt has to bee suid root in order to set the gid on the tty. Mortals  
> can't do it:  
>  
> [scott@pytheas] ~$ chgrp tty /dev/pts/1  
> chgrp: you are not a member of group `tty': Operation not permitted  
>  
>  
> So which one is the bigger security risk? Suid root xterms or world-writable  
> pseudottys?  
  
Sorry to respond a few days late, but it just occurred to me what you  
are missing here. My rxvt is not suid or sgid, because /dev/pts is  
mounted with tty as the default group, which was mentioned earlier as  
being part of the solution:  
  
none /dev/pts devpts gid=5,mode=620 0 0  
  
On my system gid 5 is tty. So, if you do that and use the  
--enable-ttygid switch when you build rxvt, you have no world writable  
pseudottys and rxvt has no special privileges. Sounds to me like that  
is as good as it gets.  
  
Brian  
  
-------------------------------------------------------------------------------------  
  
Date: Mon, 14 Jun 1999 09:31:07 +0200  
From: Gabriel Krabbe <[email protected]>  
To: [email protected]  
Subject: Re: RedHat 6.0, /dev/pts permissions bug when using xterm  
  
On Friday, June 11, 1999, Scott Wunsch wrote:  
  
>> This is not sufficient when using rxvt and apparently several other  
>> xterm-a-likes. By default rxvt overides the gid with the user's gid  
>> and changes the permissions to 622, even if the permissions specified  
>> in fstab are more restrictive than 622. The solution with rxvt is to  
>> pass --enable-ttygid to the configure script.  
>  
> I've been playing with this, and --enable-ttygid isn't enough either. It looks  
> like rxvt has to bee suid root in order to set the gid on the tty. Mortals  
> can't do it:  
  
chmod g+s /usr/X11R6/bin/rxvt  
  
  
Gabriel Krabbe  
--  
Some days, nothing goes left.  
`