Date: Mon, 7 Jan 2013 23:23:49 +0100 From: vladz <vladz@...zero.fr> To: oss-security@...ts.openwall.com Subject: /dev/ptmx timing Hi list, I noticed that it was possible to measure inter-keystrokes timing thanks to the /dev/ptmx character device. Any local user that is using pseudo-terminal can be targeted. As it may also be used to disclose sensible information such as password length, I was wondering if it should be treat as a security issue? Description + PoC: http://vladz.devzero.fr/013_ptmx-timing.php. No sure right now but I think the only way to solve this is to modify the pts handling at kernel level. Any opinions on that? Thanks, vladz.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ