Xref: utzoo comp.unix.wizards:25262 alt.security:2372
Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!swrinde!elroy.jpl.nasa.gov!ncar!midway!mimsy!mojo!russotto
From: russotto@eng.umd.edu (Matthew T. Russotto)
Newsgroups: comp.unix.wizards,alt.security
Subject: Re: BSD tty security, part 4: What You Can Look Forward To
Message-ID: <1991Apr30.220259.6797@eng.umd.edu>
Date: 30 Apr 91 22:02:59 GMT
References: <3600:Apr2614:04:4391@kramden.acf.nyu.edu> <13218@goofy.Apple.COM> <1991Apr29.222139.21284@pcserver2.naitc.com>
Sender: news@eng.umd.edu (C-News)
Organization: College of Engineering, Maryversity of Uniland, College Park
Lines: 25

In article <1991Apr29.222139.21284@pcserver2.naitc.com> kdenning@pcserver2.naitc.com (Karl Denninger) writes:
>
>I have to agree.
>
>I am in charge of Internet and external security here.  There is another
>group which is in charge of internal security.
>
>Both of us, I'm sure, would like to have some FACTS on this stuff.  TIOCSTI
>is well known as a problem, but I thought that was supposed to be restricted
>to use by root (unless it's your control terminal....).

The trick is to grab control of the next unused terminal.  Then, the next
sucker to log in is vulnerable.  It works.

>I think I just heard you say that was all malarkey, that anyone could
>TIOCSTI my root session while logged in over a pty, and that you could
>exploit those items to gain control of my session.
>
>From the manual pages, I believe it shouldn't work.

It worked on certain Ultrix revisions-- can't say anything about any other
systems.
--
Matthew T. Russotto	russotto@eng.umd.edu	russotto@wam.umd.edu
     .sig under construction, like the rest of this campus.