Re: utmp

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: [8LGM] Security Team: "[8lgm]-Advisory-5.UNIX.mail.24-Jan-1992"
• Previous message: Evil Pete: "Re: anyone know details?"
• In reply to: Aleph One: "utmp"
• Next in thread: Jeff Beadles: "(none)"

>From: Aleph One <hbcsc009@huey.csun.edu>
>
>Hmm, anyone can explain a bit more the recent CERT advisory on /etc/utmp.
>I assume the attakers where able to obtain root by fooling programms that
>only use the information in /etc/utmp for authentication, instead of
>calling for the users user id  and real user id. anyone mind extending
>this description...

For one thing older versions of the SunOS 4.1* comsat program could be
fooled into writing to system files by editing /etc/utmp and changing
your (or anyone's) tty to point to a file or symbolic link pointing to
a file you wish to write to and then sending E-Mail to that userid with
the text you wish written to that file.

I believe the exploitation of that hole goes like this :	

o	create a symlink called /tmp/f pointing at /etc/passwd
o	edit /etc/utmp and change one of your current login sessions
	on a tty to point to 'tty' /tmp/f instead (you may need to make
	it point to ../tmp/f since the tty names are assumed to have
	/dev/ prepended to them).
o	send yourself local e-mail on that machine with this text in it:

	toor::0:1:tooR:/:

o	the rest is obvious.

						- Morrow

• Next message: [8LGM] Security Team: "[8lgm]-Advisory-5.UNIX.mail.24-Jan-1992"
• Previous message: Evil Pete: "Re: anyone know details?"
• In reply to: Aleph One: "utmp"
• Next in thread: Jeff Beadles: "(none)"