For mgetty users with non-trusted shell logins

• Messages sorted by:[ date ][ thread ][ subject ][ author ]

On 27 Jan 1999, Marc SCHAEFER wrote:

> l41484@alfa.ist.utl.pt wrote:
> > Well if we fiddle with the S2 register (by disabling the escape
> > characters) wouldn't we avoid people, entering into command command and
> > thus controlling the matter?
> 
> The exploit doesn't depend on the escape sequence working. The
> documentation in doc/secure_tty.txt explains that disabling the
> escape sequence is the first step for *any* security. The escape
> sequence enabled could make part of the attack possible althrough
> the work-around ptylogin/rlogin is implemented.

Got it. I think, i now have a slight idea how this works.

> > Although it think, this would stop the called machine, from terminating
> > the call. (with +++ATH) This could be prevented, by not disabling the
> 
> No, it doesn't :)

With +++ATH like i said. :-)

> > another possibility, would be fiddling with &D", S25 register and a DTR
> > transition to hangup? 

&D2 nor &D"  :-)

> I use this on my system (it's also a recommendation by Gert for
> reliability). It doesn't fix the problem. On the contrary, NOT making
> DTR drop hangup, might, in some cases, make the attack more difficult,
> however it has many other drawbacks.
> [ and yes, my /dev/ttyS0 is chmod 600 root.root when mgetty accepts a call,
>   but this doesn't fix the problem
>  ]
> 
> In summary:
>    - an entry which is bidirectionnally connected to a modem is sufficient
>      for an attack.

Ok, i think i've got it. Will now return to my cave. :-)

--
Tiago Pascoal  (l41484@alfa.ist.utl.pt)               FAX : +351-1-7273394
Politicamente incorrecto, e membro (nao muito) proeminente da geracao rasca.