Re: Solaris 2.x utmp hole

cjc@summit.novell.com
Thu, 18 May 1995 09:25 EDT

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Ashish Parikh: "Re: Anon FTP FAQ?"
Previous message: Richard Wong: "Re: Anon FTP FAQ?"
Maybe in reply to: Scott Chasin: "Solaris 2.x utmp hole"
Next in thread: Scott Barman: "Re: Solaris 2.x utmp hole"

 > Subject: Solaris 2.x utmp hole
 > 
 > The following is somewhat of a security hole in Solaris 2.x which
 > allows any non-root user to remove themselves from /var/adm/utmp[x]
 > files (who, w, finger, etc).
 > 
 > Now the trick here is also to exploit this enough so that you can
 > change your ttyname (which can easily be done) and manipulate a
 > system utility into writing to that new ttyname (which could be a
 > system file).  This example only takes you out of the utmp files.

1.  On line 95, the call to gettimeofday should be
    "gettimeofday (&(ut->ut_tv), 0);" (yes, my compiler complained
    about mis-matched prototypes).

2.  This bug is not in evidence on UnixWare 2.01.

--
Christopher J. Calabrese
Network Security Architect
Novell Information Services & Technology, Summit, NJ
cjc@summit.novell.com

Next message: Ashish Parikh: "Re: Anon FTP FAQ?"
Previous message: Richard Wong: "Re: Anon FTP FAQ?"
Maybe in reply to: Scott Chasin: "Solaris 2.x utmp hole"
Next in thread: Scott Barman: "Re: Solaris 2.x utmp hole"