Vulnerability Description
Brief Description: The microphone on early Sun workstations enables users to eavesdrop on those in the room where the microphone is located.
Detailed Description: The microphone on Sun workstations is connedted to a file corresponding to the audio device. If the device permissions allow read access to this device, any user who can read the device can read the input from the microphone. Hence they can hear anything that the microphone can pick up.
Component(s): microphone, /dev/audio, /dev/audioctl, /dev/mic, audioplay(8)
Version(s): All versions
Operating System(s): Sun workstations with microphones (unverified), SunOS 4.1.x, 5.x (unverified), audioplay
Other Information: You must have access to the system to which the microphone is connected.
Effects:Your private conversations may be overheard
Detecting the Vulnerability:
* If all the following conditions are met, you have the hole.
1. Check the permissions on the device corresponding to microphone input. This is usually /dev/ audio or /dev/mic. If the permissions do not allow reading, you are not vulnerable.
2. Check the physical microphone device. If it is not connected to the system, or if it is turned off, you are not vulnerable.
Fixing the Vulnerability:
* Switch off or unplug the microphone.
* Change the permissions of the relevant files. The following fragment makes them accessible only to the user audiouser:
chmod 600 /dev/audio*
chown audiouser /dev/audio
* In SunOS 4.1.x, set /etc/fbtab allow only the console user to access the /dev/audio device, by adding:
/dev/console 0600 /dev/audio
/dev/console 0600 /dev/audioctl
* In Solaris 2.3, set /etc/logindevperm to allow only the console user to access /dev/audio.
Cataloguing
Keywords:microphone, audio, eavesdropping
Exploiting
Attack Methods or Tools: audio0.sh (exploit/audio0.sh)
Related Information
Advisories and Other Alerts: Cert Advisory CA-93:15 (CA-93:15), SUN#00122 (SUN#00122)
History
First Report We Know Of: by unknown, date unknown, in unknown
Revisions of Database Record
1. Mike Dilger(1/1/97): From the old database
2. Matt Bishop(7/8/98): Converted to new format