Bug 654489 (CVE-2010-4176)

Summary: CVE-2010-4176 dracut: /dev/systty permissions could allow remote users to snoop on local users
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: harald, security-response-team, taviso
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-22 15:38:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 654935    
Bug Blocks:    

Description Vincent Danen 2010-11-18 00:05:38 UTC 
Tavis Ormandy reported that /dev/systty in Fedora has insecure permissions (0644 instead of 0600 or 0640).  This could allow a remote user logged into the system to snoop on the terminal of any user logged in on tty0.

On Red Hat Enterprise Linux 5, /dev/systty is mode 0600, and on Red Hat Enterprise Linux 6, /dev/systty is a symlink to /dev/tty0 which is mode 0620.  So this flaw only affects Fedora.
Comment 1 Vincent Danen 2010-11-18 00:16:25 UTC 
Eugene had looked at this earlier, and we believe the problem stems from /usr/share/dracut/modules.d/50plymouth/plymouth-pretrigger.sh:

12     [ -c /dev/systty ] || mknod /dev/systty c 4 0

More than likely it's using the system umask to create the file (022).

It also looks as though this issue was introduced in Fedora 11, with plymouth support.  For example, on Fedora 10 /dev/systty is mode 0600.

A possible fix would be to mknod -m 600 /dev/systty c 4 0 or make /dev/systty a symlink to /dev/tty0 as it on RHEL6.

I was unable to get anything from /dev/systty, however I'm not really sure what is using /dev/tty0 as looking in /etc/init/start-ttys.conf, we seem to only start tty[1-6] and tty1 is where X is living (i.e. F1).  I see no reference to tty0 anywhere (maybe used in runlevel 3, perhaps?).

Tavis, can you provide the command you used to get some information so that we can attempt to duplicate this?
Comment 10 Huzaifa S. Sidhpurwala 2010-11-19 04:11:07 UTC 
Statement:

Not vulnerable. This issue did not affect the versions of dracut as
shipped with Red Hat Enterprise Linux 6.
Comment 11 Huzaifa S. Sidhpurwala 2010-11-19 04:14:40 UTC 
Created dracut tracking bugs for this issue

Affects: fedora-all [bug 654935]
Comment 12 Tomas Hoger 2010-12-22 15:38:25 UTC 
Fixed in Fedora dracut dracut-005-5.fc13 and dracut-006-5.fc14, with workaround / mitigation also added to udev udev-153-5.fc13 and udev-161-7.fc14.