Re: Solaris 2.x utmp hole

Jas (matt@uts.EDU.AU)
Thu, 18 May 1995 16:40:12 +1000 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: cod@dfw.net: "Re: Paper Announcement: "WAN-Hacking with 'AutoHack'" (WAN-Auditing)"
Previous message: Claudio Telmon: "Re: Solaris 2.x utmp hole"
In reply to: Scott Chasin: "Solaris 2.x utmp hole"
Next in thread: Scott Barman: "Re: Solaris 2.x utmp hole"

Scott Chasin wrote this...

> The following is somewhat of a security hole in Solaris 2.x which
> allows any non-root user to remove themselves from /var/adm/utmp[x]
> files (who, w, finger, etc).

> Now the trick here is also to exploit this enough so that you can
> change your ttyname (which can easily be done) and manipulate a
> system utility into writing to that new ttyname (which could be a
> system file).  This example only takes you out of the utmp files.

solaris utmp has had heaps of bugs, why dont sun just fix it up
properly once and for all?? i think i'll put in a RFE for this, just
to make it official, even if the &^%*& (favorite expletive here), wont
do it.

			Matt
-- 
#!/bin/sh
echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D3F204445524F42snlbxq'|dc;exit
Matthew Keenan   Systems Programmer   Information Technology Division
      University of Technology     Sydney Australia

It's nice to be in a position where people apologize because they
assume there's humor in your work, based on past experience,
but they're not sure where it is. -- Rob Pike

Next message: cod@dfw.net: "Re: Paper Announcement: "WAN-Hacking with 'AutoHack'" (WAN-Auditing)"
Previous message: Claudio Telmon: "Re: Solaris 2.x utmp hole"
In reply to: Scott Chasin: "Solaris 2.x utmp hole"
Next in thread: Scott Barman: "Re: Solaris 2.x utmp hole"