For mgetty users with non-trusted shell logins

• Messages sorted by:[ date ][ thread ][ subject ][ author ]

l41484@alfa.ist.utl.pt wrote:
> Well if we fiddle with the S2 register (by disabling the escape
> characters) wouldn't we avoid people, entering into command command and
> thus controlling the matter?

The exploit doesn't depend on the escape sequence working. The
documentation in doc/secure_tty.txt explains that disabling the
escape sequence is the first step for *any* security. The escape
sequence enabled could make part of the attack possible althrough
the work-around ptylogin/rlogin is implemented.

> Although it think, this would stop the called machine, from terminating
> the call. (with +++ATH) This could be prevented, by not disabling the

No, it doesn't :)

> another possibility, would be fiddling with &D", S25 register and a DTR
> transition to hangup? 

I use this on my system (it's also a recommendation by Gert for
reliability). It doesn't fix the problem. On the contrary, NOT making
DTR drop hangup, might, in some cases, make the attack more difficult,
however it has many other drawbacks.

[ and yes, my /dev/ttyS0 is chmod 600 root.root when mgetty accepts a call,
  but this doesn't fix the problem
 ]

In summary:
   - an entry which is bidirectionnally connected to a modem is sufficient
     for an attack.