RE: 2.4.x/Slackware Init script vulnerability

[Jeev <geonap () pacbell net>]

root@buttmunch:~# ls -l /lib/modules/`uname -r`/modules.dep
-rw-r--r--    1 root     root        49902 Jun 16 20:26
/lib/modules/2.2.19/modules.dep
root@buttmunch:~# uname -a
Linux buttmunch 2.2.19 #5 Sat Jun 16 20:13:44 PDT 2001 i686 unknown
root@buttmunch:~#
^ linux slackware 8.0

root@thunder:~# ls -l /lib/modules/`uname -r`/modules.dep
-rw-rw-rw-    1 root     root         4327 Jul 12 19:49
/lib/modules/2.4.5/modules.dep
root@thunder:~# uname -a
Linux thunder 2.4.5 #1 SMP Thu Jul 12 19:45:50 MST 2001 i686 unknown
root@thunder:~#
^ linux slackware 8.0

j

-----Original Message-----
From: twiz - Perla Enrico [mailto:twi () boiate it] 
Sent: Tuesday, July 17, 2001 3:43 PM
To: bugtraq () securityfocus com
Subject: Re: 2.4.x/Slackware Init script vulnerability

I' ve tested it on Slackware 7.0 with kernel 2.4.5 :
twisterz:~# uname -r
2.4.5
twisterz:~#

I' ve noticed that , while /var/run/utmp *is* world writable :
twisterz:~# ls -l /var/run/utmp
-rw-rw-rw-   1 root     root         4608 Jul 17 02:27 /var/run/utmp
twisterz:~#
and also /var/run/gpm.pid is -rw-rw-rw-, *but* modules.dep isn' t
writable

twisterz:~# ls -l /lib/modules/`uname -r`/modules.dep
-rw-r--r--   1 root     root         2688 Jul 16 19:36
/lib/modules/2.4.5/modules.dep
twisterz:~#

So it can't be edited, and the exploit can' t work 'cause you can't
add/change lines to modules.dep.
I'm going to download Slackware 8.0 and test on it, btw on slak 7.0 keep
good the possibility of, as you said :

>         And of course with /var/run/utmp writeable, users can delete
or
in
> other ways manipulate their logins as they appear in
> w/who/finger/getlogin(), etc.

twiz - twiz () superdotati net or twi () boiate it - ./twlc