Bugtraq mailing list archives
Re: Solaris 2.x utmp hole
From: scott () Disclosure COM (Scott Barman)
Date: Thu, 18 May 1995 12:19:23 -0400 (EDT)
On Wed, 17 May 1995, Scott Chasin wrote:
The following is somewhat of a security hole in Solaris 2.x which allows any non-root user to remove themselves from /var/adm/utmp[x] files (who, w, finger, etc).
This is interesting. Don't tell me, this is not a bug but a feature! Why would Sun allow anyone to modify the utmp file?
Now the trick here is also to exploit this enough so that you can change your ttyname (which can easily be done) and manipulate a system utility into writing to that new ttyname (which could be a system file). This example only takes you out of the utmp files.
I tried this under Solaris 2.4 on an Intel box. It worked. It removed me from the utmp file. I was curious, who I did a "who -a /var/adm/wtmp" to see what happened. I found a "logout" entry was entered. I did this a few times to verify it. So you can't spoof this completly. You should be able to tell that someone was doing something. What's to prevent a lot of things? The way I see this, you can make yourself look like a "real" user! Then how can one trace logins. Anyone think a CERT advisory should be issued for this?? scott barman scott () disclosure com
Current thread:
- Solaris 2.x utmp hole Scott Chasin (May 17)
- Re: Solaris 2.x utmp hole Jas (May 17)
- Re: Solaris 2.x utmp hole Scott Barman (May 18)
- <Possible follow-ups>
- Re: Solaris 2.x utmp hole cjc () summit novell com (May 18)
- Re: Solaris 2.x utmp hole Claudio Telmon (May 18)
- Re: Solaris 2.x utmp hole Claudio Telmon (May 19)
- Re: Solaris 2.x utmp hole System Admin (May 18)
- Another translation Patrick Horgan (May 18)
- Re: Solaris 2.x utmp hole gio () DI UniPi IT (May 19)
- From the moderator: READ Please Scott Chasin (May 19)
- Re: From the moderator: READ Please Claudio Telmon (May 22)
- Re: From the moderator: READ Please Greg Woods (May 22)
- Re: From the moderator: READ Please Michael Shields (May 22)