> Subject: Solaris 2.x utmp hole > > The following is somewhat of a security hole in Solaris 2.x which > allows any non-root user to remove themselves from /var/adm/utmp[x] > files (who, w, finger, etc). > > Now the trick here is also to exploit this enough so that you can > change your ttyname (which can easily be done) and manipulate a > system utility into writing to that new ttyname (which could be a > system file). This example only takes you out of the utmp files. 1. On line 95, the call to gettimeofday should be "gettimeofday (&(ut->ut_tv), 0);" (yes, my compiler complained about mis-matched prototypes). 2. This bug is not in evidence on UnixWare 2.01. -- Christopher J. Calabrese Network Security Architect Novell Information Services & Technology, Summit, NJ cjc@summit.novell.com