发布时间 :2000-05-03 00:00:00
修订时间 :2008-09-10 15:04:14

[原文]The pam_console PAM module in Linux systems performs a chown on various devices upon a user login, but an open file descriptor for those devices can be maintained after the user logs out, which allows that user to sniff activity on these devices when subsequent users log in.


        Linux系统下的pam_console PAM模块有根据登陆用户修改多个设备文件属主的作用,但在用户退出登陆后,打开文件描述符仍将维护这些设备,随后的用户可以利用这个漏洞在登陆时做嗅探行为。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:redhat:linux:6.2Red Hat Linux 6.2
cpe:/o:redhat:linux:6.1Red Hat Linux 6.1
cpe:/o:redhat:linux:6.0Red Hat Linux 6.0

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BID  1176
(UNKNOWN)  BUGTRAQ  20000502 pam_console bug

- 漏洞信息

高危 访问验证错误
2000-05-03 00:00:00 2005-05-02 00:00:00
        Linux系统下的pam_console PAM模块有根据登陆用户修改多个设备文件属主的作用,但在用户退出登陆后,打开文件描述符仍将维护这些设备,随后的用户可以利用这个漏洞在登陆时做嗅探行为。

- 公告与补丁


- 漏洞信息 (19900)

RedHat Linux 6.0/6.1/6.2 pam_console Vulnerability (EDBID:19900)
linux local
2000-05-03 Verified
0 Michal Zalewski
N/A [点击下载]

A vulnerability exists in the pam_console PAM module, included as part of any Linux system running PAM. pam_console exists to own certain devices to users logging in to the console of a Linux machine. It is designed to allow only console users to utilize things such as sound devices. It will chown devices to users upon logging in, and chown them back to being owned by root upon logout. However, as certain devices do not have a 'hangup' mechanism, like a tty device, it is possible for a local user to continue to monitor activity on certain devices after logging out. This could allow an malicious user to sniff other users console sessions, and potentially obtain the root password if the root user logs in, or a user su's to root. They could also surreptitiously execute commands as the user on the console.

#include <sys/fcntl.h>

main(int argc,char*argv[]) {
  char buf[80*24];
  int f=open(argv[1],O_RDWR);
  while (1) {
    write(1,"\033[2J\033[H",7); // clear terminal, vt100/linux/ansi

- 漏洞信息

Multiple Linux Vendor pam_console Persistent Open File Descriptor Information Disclosure
Remote / Network Access Information Disclosure
Loss of Confidentiality Solution Unknown
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2000-05-02 Unknow
Unknow Unknow

- 解决方案

OSVDB is not aware of a solution for this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete