BSD tty security, part 4: What You Can Look Forward To

[Lawrence C Foard]

In article <11974:May214:00:3691 at kramden.acf.nyu.edu> brnstnd at kramden.acf.nyu.edu (Dan Bernstein) writes:
>In article <721 at seqp4.UUCP> jdarcy at seqp4.ORG (Jeff d'Arcy) writes:
>> The fact is that Dan would hardly be the first
>> person to make such an offer without having the goods to back it up.
>
>As Steve Bellovin, Gene Spafford, Tom Christiansen, various BSD folks
>including Marc Teitelbaum and Keith Bostic, CERT, and a couple of other
>people can attest, I *do* have the goods: a program that compiles, runs,
>and breaks tty security sufficiently well to invisibly execute a command
[rest deleted]

I agree:

With the information already posted here, it took me about 20 minutes to make
a program that could execute commands on other people terminals (80% of the
time spent in man). I briefly described how it worked to one of the people I 
tested it on, they made a similar program by the time I walked across campus.

I think it is safe to assume that any one who has read this group and has
minimal unix programming knowledge could duplicate it easily. 

Clearly security through obscurity isn't an option in this case.

One other possible attack occurs to me, and I don't think the fixs I have seen
posted would prevent it:

1) Make an unused tty device into your controlling terminal, 
2) Close it. 
3) You currently have no open files.
4) Wait for a victim to log in on the tty, open /dev/tty and use TIOCSTI on it.