Re: Solaris 2.x utmp hole

Scott Barman (scott@Disclosure.COM)
Thu, 18 May 1995 12:19:23 -0400 (EDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Dan Thorson : "Re: Solaris 2.x utmp hole - Notify CERT?"
Previous message: Ashish Parikh: "Re: Anon FTP FAQ?"
In reply to: Scott Chasin: "Solaris 2.x utmp hole"
Next in thread: System Admin: "Re: Solaris 2.x utmp hole"

On Wed, 17 May 1995, Scott Chasin wrote:
> 
> The following is somewhat of a security hole in Solaris 2.x which
> allows any non-root user to remove themselves from /var/adm/utmp[x]
> files (who, w, finger, etc).

This is interesting.  Don't tell me, this is not a bug but a feature!
Why would Sun allow anyone to modify the utmp file?

> Now the trick here is also to exploit this enough so that you can
> change your ttyname (which can easily be done) and manipulate a
> system utility into writing to that new ttyname (which could be a
> system file).  This example only takes you out of the utmp files.

I tried this under Solaris 2.4 on an Intel box.  It worked.  It removed
me from the utmp file.  I was curious, who I did a "who -a /var/adm/wtmp"
to see what happened.  I found a "logout" entry was entered.  I did this
a few times to verify it.

So you can't spoof this completly.  You should be able to tell that
someone was doing something.

What's to prevent a lot of things?  The way I see this, you can make
yourself look like a "real" user!  Then how can one trace logins.

Anyone think a CERT advisory should be issued for this??

scott barman
scott@disclosure.com

Next message: Dan Thorson : "Re: Solaris 2.x utmp hole - Notify CERT?"
Previous message: Ashish Parikh: "Re: Anon FTP FAQ?"
In reply to: Scott Chasin: "Solaris 2.x utmp hole"
Next in thread: System Admin: "Re: Solaris 2.x utmp hole"