Bug 654489 (CVE-2010-4176) - CVE-2010-4176 dracut: /dev/systty permissions could allow remote users to snoop on local users
Summary: CVE-2010-4176 dracut: /dev/systty permissions could allow remote users to sn...
Alias: CVE-2010-4176
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 654935
TreeView+ depends on / blocked
Reported: 2010-11-18 00:05 UTC by Vincent Danen
Modified: 2021-03-26 15:08 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-12-22 15:38:25 UTC

Attachments (Terms of Use)

Description Vincent Danen 2010-11-18 00:05:38 UTC
Tavis Ormandy reported that /dev/systty in Fedora has insecure permissions (0644 instead of 0600 or 0640).  This could allow a remote user logged into the system to snoop on the terminal of any user logged in on tty0.

On Red Hat Enterprise Linux 5, /dev/systty is mode 0600, and on Red Hat Enterprise Linux 6, /dev/systty is a symlink to /dev/tty0 which is mode 0620.  So this flaw only affects Fedora.

Comment 1 Vincent Danen 2010-11-18 00:16:25 UTC
Eugene had looked at this earlier, and we believe the problem stems from /usr/share/dracut/modules.d/50plymouth/plymouth-pretrigger.sh:

12     [ -c /dev/systty ] || mknod /dev/systty c 4 0

More than likely it's using the system umask to create the file (022).

It also looks as though this issue was introduced in Fedora 11, with plymouth support.  For example, on Fedora 10 /dev/systty is mode 0600.

A possible fix would be to mknod -m 600 /dev/systty c 4 0 or make /dev/systty a symlink to /dev/tty0 as it on RHEL6.

I was unable to get anything from /dev/systty, however I'm not really sure what is using /dev/tty0 as looking in /etc/init/start-ttys.conf, we seem to only start tty[1-6] and tty1 is where X is living (i.e. F1).  I see no reference to tty0 anywhere (maybe used in runlevel 3, perhaps?).

Tavis, can you provide the command you used to get some information so that we can attempt to duplicate this?

Comment 10 Huzaifa S. Sidhpurwala 2010-11-19 04:11:07 UTC

Not vulnerable. This issue did not affect the versions of dracut as
shipped with Red Hat Enterprise Linux 6.

Comment 11 Huzaifa S. Sidhpurwala 2010-11-19 04:14:40 UTC
Created dracut tracking bugs for this issue

Affects: fedora-all [bug 654935]

Comment 12 Tomas Hoger 2010-12-22 15:38:25 UTC
Fixed in Fedora dracut dracut-005-5.fc13 and dracut-006-5.fc14, with workaround / mitigation also added to udev udev-153-5.fc13 and udev-161-7.fc14.

Note You need to log in before you can comment on or make changes to this bug.