CVE-1999-0720

Vulnerability

The pt_chown command, included with GNU glibc versions 2.1.x and shipped with RedHat Linux 6.0, is installed setuid root. It is designed to assist in terminal allocation for non-setuid programs lacking devpts support. The program is vulnerable due to insufficient security checks, allowing malicious users to manipulate TTY terminal devices that do not belong to them [1].

Exploitation

A local attacker can exploit this vulnerability by tricking pt_chown into granting them access to TTY input/output streams. This is achieved by providing a writable, allocated TTY device (e.g., /dev/ttyXX opened by a program like screen) as an argument to a specially crafted program that then calls pt_chown [1].

Impact

Successful exploitation allows an attacker to write arbitrary data to TTY streams belonging to other users. This can lead to terminal hijacking and, in some configurations, potentially a full system compromise with root privileges [1].

Mitigation

This vulnerability was addressed in later versions of glibc. Users are advised to upgrade to a patched version of glibc. Specific fixed versions and release dates are not detailed in the provided references. No workarounds are specified, and the vulnerability is not listed as being part of the Known Exploited Vulnerabilities (KEV) catalog [1].