>> Thus an attacker could: >> - cause securetty checks to fail resulting in a DoS, or >> - bypass or trick some checks in pam_time or pam_group. > Please state more clearly ...
We have seen how utmp entries can be "fudged", left behind, with or without access to group utmp. Suppose a utmp entry is "fabricated" with "correct" PID etc, and ut_line set to /tmp/x and /tmp/x made a symlink to the "correct" tty. That entry will then be used by login; it will set PAM_TTY to /tmp/x, which will fail securetty checks: resulting in a DoS. Suppose we see pam_time or pam_group allowing something to (e.g.) tty0. Then we "fabricate" a utmp entry with ut_line set to /tmp/tty0 and make /tmp/tty0 point to our tty. Login will set PAM_TTY to /tmp/tty0 and PAM will give us the goodies. Please let me know if the above is unclear or insufficient. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
