On Wed, 17 May 1995, Scott Chasin wrote: > > The following is somewhat of a security hole in Solaris 2.x which > allows any non-root user to remove themselves from /var/adm/utmp[x] > files (who, w, finger, etc). This is interesting. Don't tell me, this is not a bug but a feature! Why would Sun allow anyone to modify the utmp file? > Now the trick here is also to exploit this enough so that you can > change your ttyname (which can easily be done) and manipulate a > system utility into writing to that new ttyname (which could be a > system file). This example only takes you out of the utmp files. I tried this under Solaris 2.4 on an Intel box. It worked. It removed me from the utmp file. I was curious, who I did a "who -a /var/adm/wtmp" to see what happened. I found a "logout" entry was entered. I did this a few times to verify it. So you can't spoof this completly. You should be able to tell that someone was doing something. What's to prevent a lot of things? The way I see this, you can make yourself look like a "real" user! Then how can one trace logins. Anyone think a CERT advisory should be issued for this?? scott barman scott@disclosure.com