Re: PTY DOS vulnerability?

Jesse Pollard (jesse@cats-chateau.net)
Tue, 1 Jul 2003 06:57:49 -0500


On Monday 30 June 2003 09:18, Fredrik Tolf wrote:
> Has someone considered PTYs as a possible attack vector for DOS
> attacks? Correct me if I'm wrong, but cannot someone just open
> all available PTYs on a console-less server and make everyone
> unable to log in?
>
> I mean, what if eg. apache is hacked, and the first thing the
> attacker does is to tie up all PTYs, so that noone can log in to
> correct the situation while the attacker can go about his
> business? Then the only possible solution would be to reboot the
> server, which might very well not be desirable.
>
> If you want proof of concept code, look at
> http://www.dolda2000.cjb.net/~fredrik/ptmx.c
> I successfully ran this on one of my servers which effectively
> disabled anyone from logging in via SSH.
>
> Shouldn't PTYs be a per-user resource limit?
>
> Someone must have thought of this before me, right? How am I
> wrong?

One problem is that ptys are not just "used by the user". Every terminal
window opened uses a pty. As does a network connection.

As does "expect" - which is less visible to the user since it is intended
to be invisible.

The real question is "how many PTYs should a single user have?"
Which then prompts the question "How many concurrent users should there be?"

second, just providing a user limit doesn't prevent a denial of service..
Just have more connections than ptys and you are in the same situation.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/