Bug 654489 - (CVE-2010-4176) CVE-2010-4176 dracut: /dev/systty permissions could allow remote users to snoop on local users
CVE-2010-4176 dracut: /dev/systty permissions could allow remote users to sn...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20101119,reported=20101117,sou...
: Security
Depends On: 654935
Blocks:
  Show dependency treegraph
 
Reported: 2010-11-17 19:05 EST by Vincent Danen
Modified: 2010-12-22 10:38 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-22 10:38:25 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2010-11-17 19:05:38 EST
Tavis Ormandy reported that /dev/systty in Fedora has insecure permissions (0644 instead of 0600 or 0640).  This could allow a remote user logged into the system to snoop on the terminal of any user logged in on tty0.

On Red Hat Enterprise Linux 5, /dev/systty is mode 0600, and on Red Hat Enterprise Linux 6, /dev/systty is a symlink to /dev/tty0 which is mode 0620.  So this flaw only affects Fedora.
Comment 1 Vincent Danen 2010-11-17 19:16:25 EST
Eugene had looked at this earlier, and we believe the problem stems from /usr/share/dracut/modules.d/50plymouth/plymouth-pretrigger.sh:

12     [ -c /dev/systty ] || mknod /dev/systty c 4 0

More than likely it's using the system umask to create the file (022).

It also looks as though this issue was introduced in Fedora 11, with plymouth support.  For example, on Fedora 10 /dev/systty is mode 0600.

A possible fix would be to mknod -m 600 /dev/systty c 4 0 or make /dev/systty a symlink to /dev/tty0 as it on RHEL6.

I was unable to get anything from /dev/systty, however I'm not really sure what is using /dev/tty0 as looking in /etc/init/start-ttys.conf, we seem to only start tty[1-6] and tty1 is where X is living (i.e. F1).  I see no reference to tty0 anywhere (maybe used in runlevel 3, perhaps?).

Tavis, can you provide the command you used to get some information so that we can attempt to duplicate this?
Comment 10 Huzaifa S. Sidhpurwala 2010-11-18 23:11:07 EST
Statement:

Not vulnerable. This issue did not affect the versions of dracut as
shipped with Red Hat Enterprise Linux 6.
Comment 11 Huzaifa S. Sidhpurwala 2010-11-18 23:14:40 EST
Created dracut tracking bugs for this issue

Affects: fedora-all [bug 654935]
Comment 12 Tomas Hoger 2010-12-22 10:38:25 EST
Fixed in Fedora dracut dracut-005-5.fc13 and dracut-006-5.fc14, with workaround / mitigation also added to udev udev-153-5.fc13 and udev-161-7.fc14.

Note You need to log in before you can comment on or make changes to this bug.