>From: Aleph One <hbcsc009@huey.csun.edu> > >Hmm, anyone can explain a bit more the recent CERT advisory on /etc/utmp. >I assume the attakers where able to obtain root by fooling programms that >only use the information in /etc/utmp for authentication, instead of >calling for the users user id and real user id. anyone mind extending >this description... For one thing older versions of the SunOS 4.1* comsat program could be fooled into writing to system files by editing /etc/utmp and changing your (or anyone's) tty to point to a file or symbolic link pointing to a file you wish to write to and then sending E-Mail to that userid with the text you wish written to that file. I believe the exploitation of that hole goes like this : o create a symlink called /tmp/f pointing at /etc/passwd o edit /etc/utmp and change one of your current login sessions on a tty to point to 'tty' /tmp/f instead (you may need to make it point to ../tmp/f since the tty names are assumed to have /dev/ prepended to them). o send yourself local e-mail on that machine with this text in it: toor::0:1:tooR:/: o the rest is obvious. - Morrow