Bug 3326 - New DoS
Summary: New DoS
Status: CLOSED DUPLICATE of bug 3025
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: XFree86
Version: 6.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: David Lawrence
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 1999-06-08 02:10 UTC by fleck
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 1999-06-16 17:08:54 UTC

Attachments (Terms of Use)

Description fleck 1999-06-08 02:10:44 UTC
This message was recently submitted to bugtraq:
Just in case anyone missed it! :-)


Once again I've come up with another trivial Denial of
Service flaw,
I seem to be good at this Conseal Firewall, +++ath0, ppp

It's been a few months since my last DoS, so here you go:

Many of you RedHat 6.0 users who installed RedHat 6.0
rather than
upgrading may have noticed the new way RedHat displays
remote TTY's.
Instead of the old fashioned /dev/ttyp<number>, it now uses
/dev/pts/<number>.  There is a flaw in this new
implementation that
users can exploit to cause minor disruption to anyone using
X-windows on
the local machine.
This DoS is more of a nuisance than a "real problem" but it
be used to cause some minor havok.

The way it works is simple.  When whoever is using X opens
up an "xterm"
(eterm, rxvt, nxterm...) a connection is made to the X
If you do a "who" you will see:

(RedHat 6.0, without upgrading from previous RedHat release)
wage     pts/0    Jun  6 01:39 (:0.0)

Or on older versions:
wage     ttyp0    Jun  6 01:39 (:0.0)

Now this is normal, but the problem lies within the
permissions of that

On older RedHat's if you did:
ls -l /dev/ttyp3 you would see:
crw-------   1 wage     tty        3,   0 Jun  6
12:41 /dev/ttyp0
Which is normal and what it should look like.
For those of you who may be new to unix those letters at
the beginning
the line indicate the permissions on the device.
For our output above, the line indicates it is a device
(c), and that
OWNER has read and write permissions (rw)
Group has no permissions (---), and everyone has no
permissions (---)
They basically go <type indicator><owner><group><everyone>
An example line of a device will ALL permissions set
                /   |   \
           Owner  Group  Everyone
This means that everyone has read/write/execute permissions
to that
So as you can see our ttyp0 can only be read or written to
by it's owner
(and root).

In the case of RedHat 6.0 with regular remote connections
(like telnet)
the standard permissions are as follows:

crw--w----   1 ov3r     tty     136,   0 Jun  6
12:32 /dev/pts/0

Here it's almost the same except that group "tty" also has
write access.

The problem lies in the way that the permissions are set
for local
connections with the X server using xterm.
if you do an ls -l /dev/pts/<the xterm's tty> (we will use
You get:
crw--w--w-   1 ov3r     ov3r     136,   0 Jun  6
12:32 /dev/pts/0

Notice how now "everyone" has write access to this terminal?
This leads to the hole that any local user can disrupt any
connected to the local machine.  Simply
typing "cat /dev/urandom >
/dev/pts/<number>" will flood the xterm with garbage data
making it
impossible to use.  Or we can also bring back the
old "flash" attack and
flash the user'sxterm by dumping ASCII escape characters
to his

This isn't a particularily "deadly" DoS attack, but can be
used as a
nuisance OR perhaps even to trick the user into doing
something he may
not want to do.  (For example dumping "Login:"
then "Password:" to the
terminal may trick the user into adding his login/password
to a file or
his .bash_history).

Comment 1 Dale Lovelace 1999-06-09 15:32:59 UTC
Confirmed on Gnome-Terminal, rxvt, and xterm. One peculiarity is that
if you "su" while in the terminal, and no other terminals are open on
your machine, permissions change to crw-------, and stay that way when
you exit.

Comment 2 Bill Nottingham 1999-06-16 17:08:59 UTC
*** This bug has been marked as a duplicate of 3025 ***

Note You need to log in before you can comment on or make changes to this bug.