Check someone's mesg status without write?

Discuss the security implications of the various flavors of linux and unix

Check someone's mesg status without write?

Post by Rezlets on Wed Feb 12, 2014 8:18 pm
([msg=79445]see Check someone's mesg status without write?[/msg])

Is it possible to see whether someone has mesg set to y (allowing them to see "write" messages) or not on their terminal, without actually sending them a message?
Rezlets
New User
New User
 
Posts: 34
Joined: Mon Jan 13, 2014 9:54 am
Blog: View Blog (0)


Re: Check someone's mesg status without write?

Post by Tentra on Wed Feb 12, 2014 8:44 pm
([msg=79448]see Re: Check someone's mesg status without write?[/msg])

I've never used or even heard of mesg until I read the man page. So this may or may not be entirely accurate.

I believe this is possible by checking file permissions of the specific tty the user is using. I ran `strace mesg` to see what file mesg was checking to determine write ability. For reference I am using Fedora 20 x86_64 with ZSH as my login shell.

Strace showed mesg was checking the permissions of /dev/pts/1. Mesg was showing write access was disabled for me. I then did the following:

Code: Select all
[tentra@tentra-laptop]~% mesg
is n
[tentra@tentra-laptop]~% ls -la /dev/pts/*
crw--w----. 1 tentra tty  136, 0 Feb 12 19:27 /dev/pts/0
crw-------. 1 tentra tty  136, 1 Feb 12 19:32 /dev/pts/1
c---------. 1 root   root   5, 2 Feb 12 19:27 /dev/pts/ptmx
[tentra@tentra-laptop]~% mesg y
[tentra@tentra-laptop]~% ls -la /dev/pts/*
crw--w----. 1 tentra tty  136, 0 Feb 12 19:27 /dev/pts/0
crw--w----. 1 tentra tty  136, 1 Feb 12  2014 /dev/pts/1
c---------. 1 root   root   5, 2 Feb 12 19:27 /dev/pts/ptmx


I believe mesg simply checks whether there is group write access to your current shell. I was also running these commands inside a terminal emulator rather than a login shell, which I believe is what /dev/pts/0 is.

So, if you know the device file representing the users shell in which you wish to check for write access to, you should simply check for group write access to that device file.
User avatar
Tentra
Poster
Poster
 
Posts: 161
Joined: Wed Apr 30, 2008 4:52 pm
Blog: View Blog (0)


Re: Check someone's mesg status without write?

Post by Rezlets on Wed Feb 12, 2014 11:03 pm
([msg=79454]see Re: Check someone's mesg status without write?[/msg])

Thanks, Tentra. I know finger gives me their pts number, so I'll try that. (I hadn't realized that you could potentially access other people's terminals through /dev. I very much doubt I have read access to them, but really simple keylogging with echo </dev/whatever is worth a shot.)
Rezlets
New User
New User
 
Posts: 34
Joined: Mon Jan 13, 2014 9:54 am
Blog: View Blog (0)


Re: Check someone's mesg status without write?

Post by Tentra on Thu Feb 13, 2014 1:36 am
([msg=79455]see Re: Check someone's mesg status without write?[/msg])

That won't work in the way you hope. If you look back up to the terminal snippet I posted, you'll see that group only has write permissions, not read.

Even if you were able to get read permissions on the other users TTY, you wouldn't be able to intercept their keystrokes with cat as it is blocking. That means their keystrokes would be redirected to your terminal and not echoed back to them in theirs, meaning they couldn't see what they're typing, which is a little too obvious for a keylogger :)

This is actually a pretty interesting approach in my opinion. I would guess you would have to write something to automate the attack by having the user connect to a dummy TTY which you would be able to log and redirect to a real TTY. The general idea would be something like:

  • Read a byte from the users dummy TTY
  • Log it
  • Append it to a TTY you have in the background
  • Return the same byte read to the users TTY
  • Return anything from the background TTY, which would happen once they press enter

That's the simplest I can think of accomplishing this. Although, I'm sure someone who is much more fluent with Linux than I could come up with a better idea.
User avatar
Tentra
Poster
Poster
 
Posts: 161
Joined: Wed Apr 30, 2008 4:52 pm
Blog: View Blog (0)



Return to *nix

Who is online

Users browsing this forum: No registered users and 0 guests